From 1d2e67d38ca195f115b3f06e1dbda3ab9c6d3df7 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sat, 11 Feb 2017 10:48:08 +0100 Subject: Dissected SSH client/server versions and reported in data structures --- example/ndpi_util.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 3168a5010..171ab8e95 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -62,8 +62,8 @@ typedef struct ndpi_flow_info { char bittorent_hash[41]; struct { - char client_certificate[48], server_certificate[48]; - } ssl; + char client_info[48], server_info[48]; + } ssh_ssl; void *src_id, *dst_id; } ndpi_flow_info_t; -- cgit v1.2.3 From e2cfc96577be5fe97cd5ce63ac30b23cbfadce84 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Mon, 13 Feb 2017 01:29:25 +0100 Subject: Improvements for exporting info in MDNS and UBNTAC2 protocols Added test pcap file for UBNTAC2 --- example/ndpiReader.c | 2 +- example/ndpi_util.c | 6 +++++- example/ndpi_util.h | 1 + src/include/ndpi_typedefs.h | 8 ++++++++ src/lib/protocols/mdns.c | 21 +++++++++++++++----- src/lib/protocols/ubntac2.c | 35 ++++++++++++++++++++++++++++----- tests/pcap/ubntac2.pcap | Bin 0 -> 1888 bytes tests/result/skype_no_unknown.pcap.out | 2 +- tests/result/ubntac2.pcap.out | 10 ++++++++++ 9 files changed, 72 insertions(+), 13 deletions(-) create mode 100644 tests/pcap/ubntac2.pcap create mode 100644 tests/result/ubntac2.pcap.out (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 4bf786aa8..72b495912 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -387,7 +387,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { flow->packets, (long long unsigned int) flow->bytes); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); - + if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); if(flow->ssh_ssl.client_info[0] != '\0') fprintf(out, "[client: %s]", flow->ssh_ssl.client_info); if(flow->ssh_ssl.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_ssl.server_info); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index d5cb27d5a..3397d8a92 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -516,8 +516,12 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, } if(n == 0) flow->bittorent_hash[0] = '\0'; + } else if(flow->detected_protocol.protocol == NDPI_PROTOCOL_MDNS) { + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.mdns.answer); + } else if(flow->detected_protocol.protocol == NDPI_PROTOCOL_UBNTAC2) { + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version); } - + if((proto == IPPROTO_TCP) && (flow->detected_protocol.protocol != NDPI_PROTOCOL_DNS)) { if(flow->detected_protocol.protocol == NDPI_PROTOCOL_SSH) { snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 171ab8e95..6ff17bac2 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -58,6 +58,7 @@ typedef struct ndpi_flow_info { // result only, not used for flow identification ndpi_protocol detected_protocol; + char info[96]; char host_server_name[192]; char bittorent_hash[41]; diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 801f1e768..68e332c23 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -960,6 +960,14 @@ struct ndpi_flow_struct { struct { char client_signature[48], server_signature[48]; } ssh; + + struct { + char answer[96]; + } mdns; + + struct { + char version[96]; + } ubntac2; } protos; /*** ALL protocol specific 64 bit variables here ***/ diff --git a/src/lib/protocols/mdns.c b/src/lib/protocols/mdns.c index b3184c26f..0692b3252 100644 --- a/src/lib/protocols/mdns.c +++ b/src/lib/protocols/mdns.c @@ -63,13 +63,26 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct ntohs(get_u_int16_t(packet->payload, 6)) <= NDPI_MAX_MDNS_REQUESTS) { NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, NDPI_LOG_DEBUG, "found MDNS with question query.\n"); - return 1; - + return 1; } else if((packet->payload[2] & 0x80) != 0 && ntohs(get_u_int16_t(packet->payload, 4)) == 0 && ntohs(get_u_int16_t(packet->payload, 6)) <= NDPI_MAX_MDNS_REQUESTS && ntohs(get_u_int16_t(packet->payload, 6)) != 0) { + char answer[256]; + int i, j, len; + + for(i=13, j=0; (packet->payload[i] != 0) && (i < packet->payload_packet_len) && (i < (sizeof(answer)-1)); i++) + answer[j++] = (packet->payload[i] < 13) ? '.' : packet->payload[i]; + + answer[j] = '\0'; + + /* printf("==> [%d] %s\n", j, answer); */ + + len = ndpi_min(sizeof(flow->protos.mdns.answer)-1, j); + strncpy(flow->protos.mdns.answer, (const char *)answer, len); + flow->protos.mdns.answer[len] = '\0'; + NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, NDPI_LOG_DEBUG, "found MDNS with answer query.\n"); return 1; } @@ -87,14 +100,12 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n */ /* check if UDP packet */ - if(packet->udp != NULL) { - + if(packet->udp != NULL) { /* read destination port */ dport = ntohs(packet->udp->dest); /* check standard MDNS ON port 5353 */ if(dport == 5353 && packet->payload_packet_len >= 12) { - /* mdns protocol must have destination address 224.0.0.251 */ if(packet->iph != NULL && ntohl(packet->iph->daddr) == 0xe00000fb) { diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index b465e0a30..7196ee884 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -37,12 +37,37 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc if(packet->udp) { if(packet->payload_packet_len >= 135 && - (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001)) && - memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + (packet->udp->source == htons(10001) || packet->udp->dest == htons(10001))) { + int found = 0; - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); - - ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + if(memcmp(&(packet->payload[36]), "UBNT", 4) == 0) { + found = 36+5; + } else if(memcmp(&(packet->payload[49]), "ubnt", 4) == 0) { + found = 49+5; + } + + if(found) { + char version[256]; + int i, j, len; + + found += packet->payload[found+1] + 4; /* Skip model name */ + found++; /* Skip len*/ + + if(found < packet->payload_packet_len) { + for(i=found, j=0; (packet->payload[i] != 0) && (i < packet->payload_packet_len) && (i < (sizeof(version)-1)); i++) + version[j++] = packet->payload[i]; + + version[j] = '\0'; + + len = ndpi_min(sizeof(flow->protos.ubntac2.version)-1, j); + strncpy(flow->protos.ubntac2.version, (const char *)version, len); + flow->protos.ubntac2.version[len] = '\0'; + } + + NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + + ndpi_int_ubntac2_add_connection(ndpi_struct, flow); + } return; } } diff --git a/tests/pcap/ubntac2.pcap b/tests/pcap/ubntac2.pcap new file mode 100644 index 000000000..254700b61 Binary files /dev/null and b/tests/pcap/ubntac2.pcap differ diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index 49579d00a..d8b67aab0 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -239,7 +239,7 @@ MS_OneDrive 348 181687 1 226 TCP 192.168.1.34:51255 <-> 157.55.130.142:40005 [proto: 125/Skype][17 pkts/1322 bytes] 227 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][36 pkts/13402 bytes] 228 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][14 pkts/1432 bytes] - 229 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes] + 229 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes][Lucas-iMac.local] 230 UDP 192.168.1.34:13021 <-> 64.4.23.145:40027 [proto: 125/Skype][1 pkts/73 bytes] 231 UDP 192.168.1.34:13021 <-> 64.4.23.142:40023 [proto: 125/Skype][1 pkts/72 bytes] 232 UDP 192.168.1.34:13021 <-> 64.4.23.140:40003 [proto: 125/Skype][1 pkts/67 bytes] diff --git a/tests/result/ubntac2.pcap.out b/tests/result/ubntac2.pcap.out new file mode 100644 index 000000000..02e7d8e59 --- /dev/null +++ b/tests/result/ubntac2.pcap.out @@ -0,0 +1,10 @@ +UBNTAC2 8 1736 8 + + 1 UDP 192.168.1.1:42838 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 2 UDP 192.168.1.1:47746 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 3 UDP 192.168.1.1:52220 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 4 UDP 192.168.1.1:59772 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 5 UDP 192.168.1.1:34085 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 6 UDP 192.168.1.1:44641 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 7 UDP 192.168.1.1:47871 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 8 UDP 192.168.1.1:55321 <-> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] -- cgit v1.2.3 From 92b1b46fa67e9de42a028ef9ec0d618cd8e701c5 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Tue, 21 Mar 2017 00:48:16 +0100 Subject: SSL server certificate is now detected --- example/ndpiReader.c | 1 + example/ndpi_util.c | 112 ++++++------ example/ndpi_util.h | 1 + src/lib/ndpi_main.c | 52 +++--- src/lib/protocols/ssl.c | 6 +- tests/result/6in4tunnel.pcap.out | 2 +- tests/result/KakaoTalk_chat.pcap.out | 47 ----- tests/result/KakaoTalk_talk.pcap.out | 31 ---- tests/result/quickplay.pcap.out | 26 --- tests/result/skype.pcap.out | 312 ++++++++++++++++----------------- tests/result/skype_no_unknown.pcap.out | 290 +++++++++++++++--------------- tests/result/viber_mobile.pcap.out | 4 +- tests/result/webex.pcap.out | 2 +- 13 files changed, 398 insertions(+), 488 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index aa5db8821..dda137df9 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -517,6 +517,7 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept } } + process_ndpi_collected_info(ndpi_thread_info[thread_id].workflow, flow); ndpi_thread_info[thread_id].workflow->stats.protocol_counter[flow->detected_protocol.app_protocol] += flow->packets; ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[flow->detected_protocol.app_protocol] += flow->bytes; ndpi_thread_info[thread_id].workflow->stats.protocol_flows[flow->detected_protocol.app_protocol]++; diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 8fe104b3e..b1ea6a3de 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -435,6 +435,64 @@ static struct ndpi_flow_info *get_ndpi_flow_info6(struct ndpi_workflow * workflo /* ****************************************************** */ +void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow) { + if(!flow->ndpi_flow) return; + + snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", + flow->ndpi_flow->host_server_name); + + /* BITTORRENT */ + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_BITTORRENT) { + int i, j, n = 0; + + for(i=0, j = 0; j < sizeof(flow->bittorent_hash)-1; i++) { + sprintf(&flow->bittorent_hash[j], "%02x", flow->ndpi_flow->bittorent_hash[i]); + j += 2, n += flow->ndpi_flow->bittorent_hash[i]; + } + + if(n == 0) flow->bittorent_hash[0] = '\0'; + } + /* MDNS */ + else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MDNS) { + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.mdns.answer); + } + /* UBNTAC2 */ + else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UBNTAC2) { + snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version); + } + if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_DNS) { + /* SSH */ + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) { + snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", + flow->ndpi_flow->protos.ssh.client_signature); + snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", + flow->ndpi_flow->protos.ssh.server_signature); + } + /* SSL */ + else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) + || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)) { + snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", + flow->ndpi_flow->protos.ssl.client_certificate); + snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", + flow->ndpi_flow->protos.ssl.server_certificate); + } + } + + if(flow->detection_completed) { + if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { + if (workflow->__flow_giveup_callback != NULL) + workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); + } else { + if (workflow->__flow_detected_callback != NULL) + workflow->__flow_detected_callback(workflow, flow, workflow->__flow_detected_udata); + } + + ndpi_free_flow_info_half(flow); + } +} + +/* ****************************************************** */ + /** Function to process the packet: determine the flow of a packet and try to decode it @@ -494,6 +552,7 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, || ((proto == IPPROTO_UDP) && (flow->packets > 8)) || ((proto == IPPROTO_TCP) && (flow->packets > 10))) { /* New protocol detected or give up */ + flow->detection_completed = 1; } @@ -503,58 +562,7 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, flow->ndpi_flow); } - snprintf(flow->host_server_name, sizeof(flow->host_server_name), "%s", - flow->ndpi_flow->host_server_name); - - /* BITTORRENT */ - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_BITTORRENT) { - int i, j, n = 0; - - for(i=0, j = 0; j < sizeof(flow->bittorent_hash)-1; i++) { - sprintf(&flow->bittorent_hash[j], "%02x", flow->ndpi_flow->bittorent_hash[i]); - j += 2, n += flow->ndpi_flow->bittorent_hash[i]; - } - - if(n == 0) flow->bittorent_hash[0] = '\0'; - } - /* MDNS */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_MDNS) { - snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.mdns.answer); - } - /* UBNTAC2 */ - else if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UBNTAC2) { - snprintf(flow->info, sizeof(flow->info), "%s", flow->ndpi_flow->protos.ubntac2.version); - } - if((proto == IPPROTO_TCP) && (flow->detected_protocol.app_protocol != NDPI_PROTOCOL_DNS)) { - /* SSH */ - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSH) { - snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", - flow->ndpi_flow->protos.ssh.client_signature); - snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", - flow->ndpi_flow->protos.ssh.server_signature); - } - /* SSL */ - else if((flow->detected_protocol.app_protocol == NDPI_PROTOCOL_SSL) - || (flow->detected_protocol.master_protocol == NDPI_PROTOCOL_SSL)) { - snprintf(flow->ssh_ssl.client_info, sizeof(flow->ssh_ssl.client_info), "%s", - flow->ndpi_flow->protos.ssl.client_certificate); - snprintf(flow->ssh_ssl.server_info, sizeof(flow->ssh_ssl.server_info), "%s", - flow->ndpi_flow->protos.ssl.server_certificate); - } - } - - if(flow->detection_completed) { - if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { - if (workflow->__flow_giveup_callback != NULL) - workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); - } else { - if (workflow->__flow_detected_callback != NULL) - workflow->__flow_detected_callback(workflow, flow, workflow->__flow_detected_udata); - } - - ndpi_free_flow_info_half(flow); - } - + process_ndpi_collected_info(workflow, flow); return 0; } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 6ff17bac2..1c092cbfa 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -159,5 +159,6 @@ static inline void ndpi_workflow_set_flow_giveup_callback(struct ndpi_workflow * /* compare two nodes in workflow */ int ndpi_workflow_node_cmp(const void *a, const void *b); +void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); #endif diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index 5c8589c3f..a2abca7b8 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -3327,30 +3327,34 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { u_int16_t guessed_protocol_id, guessed_host_protocol_id; - if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) - && (flow->packet.l4_protocol == IPPROTO_TCP) - && (flow->l4.tcp.ssl_stage > 1)) - flow->guessed_protocol_id = NDPI_PROTOCOL_SSL; - - guessed_protocol_id = flow->guessed_protocol_id, - guessed_host_protocol_id = flow->guessed_host_protocol_id; - - if((guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) - && (NDPI_ISSET(&flow->excluded_protocol_bitmask, guessed_host_protocol_id))) - guessed_host_protocol_id = NDPI_PROTOCOL_UNKNOWN; - - - /* Ignore guessed protocol if they have been discarded */ - if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) - && (guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) - && (NDPI_ISSET(&flow->excluded_protocol_bitmask, guessed_protocol_id))) - guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN; - - if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) - || (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) { - ndpi_int_change_protocol(ndpi_struct, flow, - guessed_host_protocol_id, - guessed_protocol_id); + if(flow->protos.ssl.client_certificate[0] != '\0') { + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL, NDPI_PROTOCOL_UNKNOWN); + } else { + if((flow->guessed_protocol_id == NDPI_PROTOCOL_UNKNOWN) + && (flow->packet.l4_protocol == IPPROTO_TCP) + && (flow->l4.tcp.ssl_stage > 1)) + flow->guessed_protocol_id = NDPI_PROTOCOL_SSL; + + guessed_protocol_id = flow->guessed_protocol_id, + guessed_host_protocol_id = flow->guessed_host_protocol_id; + + if((guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN) + && (NDPI_ISSET(&flow->excluded_protocol_bitmask, guessed_host_protocol_id))) + guessed_host_protocol_id = NDPI_PROTOCOL_UNKNOWN; + + + /* Ignore guessed protocol if they have been discarded */ + if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) + && (guessed_host_protocol_id == NDPI_PROTOCOL_UNKNOWN) + && (NDPI_ISSET(&flow->excluded_protocol_bitmask, guessed_protocol_id))) + guessed_protocol_id = NDPI_PROTOCOL_UNKNOWN; + + if((guessed_protocol_id != NDPI_PROTOCOL_UNKNOWN) + || (guessed_host_protocol_id != NDPI_PROTOCOL_UNKNOWN)) { + ndpi_int_change_protocol(ndpi_struct, flow, + guessed_host_protocol_id, + guessed_protocol_id); + } } } else { flow->detected_protocol_stack[1] = flow->guessed_protocol_id, diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 8915b0e99..69f06e714 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -24,10 +24,9 @@ #include "ndpi_api.h" -/* #define CERTIFICATE_DEBUG 1 */ - #ifdef NDPI_PROTOCOL_SSL +/* #define CERTIFICATE_DEBUG 1 */ #define NDPI_MAX_SSL_REQUEST_SIZE 10000 /* Skype.c */ @@ -184,6 +183,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, /* Check after handshake protocol header (5 bytes) and message header (4 bytes) */ for(i = 9; i < packet->payload_packet_len-3; i++) { if(((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x0c)) + || ((packet->payload[i] == 0x04) && (packet->payload[i+1] == 0x03) && (packet->payload[i+2] == 0x13)) || ((packet->payload[i] == 0x55) && (packet->payload[i+1] == 0x04) && (packet->payload[i+2] == 0x03))) { u_int8_t server_len = packet->payload[i+3]; @@ -345,7 +345,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s && flow->l4.tcp.seen_syn_ack && flow->l4.tcp.seen_ack /* We have seen the 3-way handshake */) || (flow->protos.ssl.server_certificate[0] != '\0') - || (flow->protos.ssl.client_certificate[0] != '\0') + /* || (flow->protos.ssl.client_certificate[0] != '\0') */ ) ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index 520173ab5..bc6b7973b 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -6,7 +6,7 @@ Facebook 37 14726 3 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 <-> [2a03:2880:1010:6f03:face:b00c::2]:53234 [proto: 91.119/SSL.Facebook][33 pkts/13926 bytes][client: www.facebook.com] 2 UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][2 pkts/394 bytes][Host: star.c10r.facebook.com] - 3 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 <-> [2604:a880:1:20::224:b001]:60205 [proto: 91/SSL][28 pkts/15397 bytes][client: mail.tomasu.net] + 3 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:443 <-> [2604:a880:1:20::224:b001]:60205 [proto: 91/SSL][28 pkts/15397 bytes][client: mail.tomasu.net][server: mail.tomasu.net] 4 ICMPV6 [2001:470:1f16:13f::2]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][1 pkts/200 bytes] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 <-> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][1 pkts/1314 bytes] 6 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:35610 [proto: 51/IMAPS][2 pkts/258 bytes] diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index fa510f8ba..8b1378917 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -1,48 +1 @@ -DNS 2 217 1 -HTTP 1 56 1 -ICMP 1 147 1 -SSL 29 4579 3 -Facebook 215 51809 12 -Google 16 1031 3 -HTTP_Proxy 26 3926 1 -Amazon 2 181 1 -KakaoTalk 55 9990 15 - 1 UDP 10.188.1.1:53 <-> 10.24.82.188:56820 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-c.talk.kakao.com] - 2 UDP 10.188.1.1:53 <-> 10.24.82.188:57816 [proto: 5.193/DNS.KakaoTalk][2 pkts/244 bytes][Host: katalk.kakao.com] - 3 UDP 10.188.1.1:53 <-> 10.24.82.188:58810 [proto: 5.193/DNS.KakaoTalk][2 pkts/190 bytes][Host: item.kakao.com] - 4 TCP 10.24.82.188:34503 <-> 120.28.26.242:80 [proto: 7/HTTP][1 pkts/56 bytes] - 5 ICMP 10.188.191.1:0 <-> 10.24.82.188:0 [proto: 81/ICMP][1 pkts/147 bytes] - 6 UDP 10.188.1.1:53 <-> 10.24.82.188:4017 [proto: 5.119/DNS.Facebook][2 pkts/229 bytes][Host: developers.facebook.com] - 7 UDP 10.188.1.1:53 <-> 10.24.82.188:5929 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-p.talk.kakao.com] - 8 TCP 10.24.82.188:58927 <-> 54.255.253.199:5223 [proto: 178/Amazon][2 pkts/181 bytes] - 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][26 pkts/3926 bytes] - 10 TCP 210.103.240.15:443 <-> 10.24.82.188:37821 [proto: 91.193/SSL.KakaoTalk][27 pkts/7126 bytes][server: *.kakao.com] - 11 UDP 10.188.1.1:53 <-> 10.24.82.188:25117 [proto: 5.193/DNS.KakaoTalk][2 pkts/208 bytes][Host: up-gp.talk.kakao.com] - 12 UDP 10.188.1.1:53 <-> 10.24.82.188:29029 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-a.talk.kakao.com] - 13 UDP 10.188.1.1:53 <-> 10.24.82.188:35603 [proto: 5.193/DNS.KakaoTalk][2 pkts/215 bytes][Host: ac-talk.kakao.com] - 14 TCP 31.13.68.84:80 <-> 10.24.82.188:37553 [proto: 7.119/HTTP.Facebook][10 pkts/1058 bytes][Host: www.facebook.com] - 15 TCP 31.13.68.84:80 <-> 10.24.82.188:37557 [proto: 7.119/HTTP.Facebook][11 pkts/1114 bytes][Host: www.facebook.com] - 16 UDP 10.188.1.1:53 <-> 10.24.82.188:41909 [proto: 5.193/DNS.KakaoTalk][2 pkts/214 bytes][Host: booking.loco.kakao.com] - 17 UDP 10.188.1.1:53 <-> 10.24.82.188:43077 [proto: 5.193/DNS.KakaoTalk][2 pkts/178 bytes][Host: dn-l.talk.kakao.com] - 18 UDP 10.188.1.1:53 <-> 10.24.82.188:61011 [proto: 5.193/DNS.KakaoTalk][2 pkts/200 bytes][Host: plus-talk.kakao.com] - 19 UDP 10.188.191.1:53 <-> 10.24.82.188:61011 [proto: 5.193/DNS.KakaoTalk][2 pkts/200 bytes][Host: plus-talk.kakao.com] - 20 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91/SSL][6 pkts/1890 bytes][server: *.push.samsungosp.com] - 21 UDP 10.188.1.1:53 <-> 10.24.82.188:9094 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-v.talk.kakao.com] - 22 TCP 173.252.97.2:443 <-> 10.24.82.188:35503 [proto: 91.119/SSL.Facebook][38 pkts/7591 bytes][server: *.facebook.com] - 23 TCP 173.252.97.2:443 <-> 10.24.82.188:35511 [proto: 91.119/SSL.Facebook][36 pkts/7152 bytes][server: *.facebook.com] - 24 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][18 pkts/2409 bytes] - 25 UDP 10.188.1.1:53 <-> 10.24.82.188:12908 [proto: 5.193/DNS.KakaoTalk][2 pkts/205 bytes][Host: up-m.talk.kakao.com] - 26 TCP 173.194.72.188:5228 <-> 10.24.82.188:34686 [proto: 126/Google][1 pkts/164 bytes] - 27 UDP 10.188.1.1:53 <-> 10.24.82.188:14650 [proto: 5/DNS][2 pkts/217 bytes][Host: 2.97.252.173.in-addr.arpa] - 28 UDP 10.188.1.1:53 <-> 10.24.82.188:19582 [proto: 5.119/DNS.Facebook][2 pkts/218 bytes][Host: graph.facebook.com] - 29 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][14 pkts/784 bytes] - 30 UDP 10.188.1.1:53 <-> 10.24.82.188:24596 [proto: 5.119/DNS.Facebook][2 pkts/196 bytes][Host: api.facebook.com] - 31 TCP 210.103.240.15:443 <-> 10.24.82.188:42332 [proto: 91/SSL][5 pkts/280 bytes] - 32 TCP 216.58.220.174:443 <-> 10.24.82.188:49217 [proto: 91.126/SSL.Google][1 pkts/83 bytes] - 33 UDP 10.188.1.1:53 <-> 10.24.82.188:38448 [proto: 5.193/DNS.KakaoTalk][2 pkts/190 bytes][Host: auth.kakao.com] - 34 TCP 31.13.68.70:443 <-> 10.24.82.188:43581 [proto: 91.119/SSL.Facebook][34 pkts/9655 bytes][client: graph.facebook.com] - 35 TCP 31.13.68.84:443 <-> 10.24.82.188:45209 [proto: 91.119/SSL.Facebook][19 pkts/7707 bytes][client: api.facebook.com] - 36 TCP 31.13.68.84:443 <-> 10.24.82.188:45211 [proto: 91.119/SSL.Facebook][29 pkts/9077 bytes][client: developers.facebook.com] - 37 TCP 31.13.68.84:443 <-> 10.24.82.188:45213 [proto: 91.119/SSL.Facebook][28 pkts/7561 bytes][server: *.facebook.com] - 38 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/SSL.Facebook][4 pkts/251 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index 97b69377c..8b1378917 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -1,32 +1 @@ -HTTP 5 280 1 -QQ 15 1727 1 -SSL_No_Cert 74 14132 2 -RTP 2991 398751 2 -SSL 5 1198 1 -Facebook 5 377 3 -Google 4 359 4 -HTTP_Proxy 16 1838 2 -Tor 40 10538 1 -Amazon 4 396 1 -KakaoTalk_Voice 44 6196 2 - 1 TCP 10.24.82.188:34533 <-> 120.28.26.242:80 [proto: 7/HTTP][5 pkts/280 bytes] - 2 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 178/Amazon][4 pkts/396 bytes] - 3 TCP 10.24.82.188:38380 <-> 173.194.117.229:443 [proto: 91.126/SSL.Google][1 pkts/56 bytes] - 4 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][11 pkts/1488 bytes] - 5 UDP 10.188.1.1:53 <-> 10.24.82.188:25223 [proto: 5.119/DNS.Facebook][2 pkts/197 bytes][Host: mqtt.facebook.com] - 6 TCP 173.252.88.128:443 <-> 10.24.82.188:59912 [proto: 91.119/SSL.Facebook][2 pkts/124 bytes] - 7 TCP 173.252.88.128:443 <-> 10.24.82.188:59954 [proto: 64/SSL_No_Cert][29 pkts/4024 bytes] - 8 TCP 10.24.82.188:53974 <-> 203.205.151.233:8080 [proto: 131/HTTP_Proxy][5 pkts/350 bytes] - 9 TCP 110.76.143.50:8080 <-> 10.24.82.188:32968 [proto: 64/SSL_No_Cert][45 pkts/10108 bytes] - 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][5 pkts/1198 bytes] - 11 TCP 173.194.72.188:5228 <-> 10.24.82.188:34686 [proto: 126/Google][1 pkts/164 bytes] - 12 TCP 110.76.143.50:9001 <-> 10.24.82.188:58857 [proto: 163/Tor][40 pkts/10538 bytes] - 13 TCP 173.252.122.1:443 <-> 10.24.82.188:52123 [proto: 91.119/SSL.Facebook][1 pkts/56 bytes] - 14 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][15 pkts/1727 bytes][Host: hkminorshort.weixin.qq.com] - 15 UDP 1.201.1.174:23047 <-> 10.24.82.188:10269 [proto: 194/KakaoTalk_Voice][22 pkts/3112 bytes] - 16 UDP 1.201.1.174:23046 <-> 10.24.82.188:10268 [proto: 87/RTP][1488 pkts/198510 bytes] - 17 UDP 1.201.1.174:23045 <-> 10.24.82.188:11321 [proto: 194/KakaoTalk_Voice][22 pkts/3084 bytes] - 18 UDP 1.201.1.174:23044 <-> 10.24.82.188:11320 [proto: 87/RTP][1503 pkts/200241 bytes] - 19 TCP 216.58.220.174:443 <-> 10.24.82.188:49217 [proto: 91.126/SSL.Google][1 pkts/83 bytes] - 20 TCP 216.58.220.161:443 <-> 10.24.82.188:56697 [proto: 91.126/SSL.Google][1 pkts/56 bytes] diff --git a/tests/result/quickplay.pcap.out b/tests/result/quickplay.pcap.out index 277e25fc8..8b1378917 100644 --- a/tests/result/quickplay.pcap.out +++ b/tests/result/quickplay.pcap.out @@ -1,27 +1 @@ -QQ 12 4781 5 -Facebook 6 1740 3 -Google 2 378 1 -Amazon 2 1469 1 -QuickPlay 133 96179 11 - 1 TCP 120.28.26.231:80 <-> 10.54.169.250:33277 [proto: 7.126/HTTP.Google][2 pkts/378 bytes][Host: clients3.google.com] - 2 TCP 120.28.35.41:80 <-> 10.54.169.250:50669 [proto: 7.196/HTTP.QuickPlay][4 pkts/3680 bytes][Host: api-singtelhawk.quickplay.com] - 3 TCP 120.28.35.40:80 <-> 10.54.169.250:52007 [proto: 7.196/HTTP.QuickPlay][4 pkts/2735 bytes][Host: vod-singtelhawk.quickplay.com] - 4 TCP 120.28.35.40:80 <-> 10.54.169.250:52009 [proto: 7.196/HTTP.QuickPlay][65 pkts/45902 bytes][Host: vod-singtelhawk.quickplay.com] - 5 TCP 120.28.35.40:80 <-> 10.54.169.250:52017 [proto: 7.196/HTTP.QuickPlay][8 pkts/6032 bytes][Host: vod-singtelhawk.quickplay.com] - 6 TCP 120.28.35.40:80 <-> 10.54.169.250:52019 [proto: 7.196/HTTP.QuickPlay][25 pkts/19606 bytes][Host: vod-singtelhawk.quickplay.com] - 7 TCP 120.28.35.40:80 <-> 10.54.169.250:52021 [proto: 7.196/HTTP.QuickPlay][4 pkts/2754 bytes][Host: vod-singtelhawk.quickplay.com] - 8 TCP 203.205.147.215:80 <-> 10.54.169.250:35670 [proto: 7.48/HTTP.QQ][2 pkts/943 bytes][Host: hkminorshort.weixin.qq.com] - 9 TCP 203.205.129.101:80 <-> 10.54.169.250:42762 [proto: 7.48/HTTP.QQ][2 pkts/877 bytes][Host: hkextshort.weixin.qq.com] - 10 TCP 173.252.74.22:80 <-> 10.54.169.250:52285 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] - 11 TCP 31.13.68.49:80 <-> 10.54.169.250:44793 [proto: 7.119/HTTP.Facebook][2 pkts/576 bytes][Host: www.facebook.com] - 12 TCP 120.28.5.18:80 <-> 10.54.169.250:33064 [proto: 7.196/HTTP.QuickPlay][2 pkts/467 bytes][Host: api-singtelhawk.quickplay.com] - 13 TCP 54.179.140.65:80 <-> 10.54.169.250:56381 [proto: 7.178/HTTP.Amazon][2 pkts/1469 bytes][Host: api.account.xiaomi.com] - 14 TCP 120.28.5.41:80 <-> 10.54.169.250:44256 [proto: 7.196/HTTP.QuickPlay][3 pkts/2311 bytes][Host: play-singtelhawk.quickplay.com] - 15 TCP 120.28.35.41:80 <-> 10.54.169.250:50668 [proto: 7.196/HTTP.QuickPlay][4 pkts/3360 bytes][Host: api-singtelhawk.quickplay.com] - 16 TCP 120.28.35.40:80 <-> 10.54.169.250:52018 [proto: 7.196/HTTP.QuickPlay][7 pkts/5048 bytes][Host: vod-singtelhawk.quickplay.com] - 17 TCP 120.28.35.40:80 <-> 10.54.169.250:52022 [proto: 7.196/HTTP.QuickPlay][7 pkts/4284 bytes][Host: vod-singtelhawk.quickplay.com] - 18 TCP 203.205.129.101:80 <-> 10.54.169.250:42761 [proto: 7.48/HTTP.QQ][2 pkts/641 bytes][Host: hkextshort.weixin.qq.com] - 19 TCP 173.252.74.22:80 <-> 10.54.169.250:52288 [proto: 7.119/HTTP.Facebook][2 pkts/582 bytes][Host: www.facebook.com] - 20 TCP 203.205.151.160:80 <-> 10.54.169.250:54883 [proto: 7.48/HTTP.QQ][3 pkts/1337 bytes][Host: hkextshort.weixin.qq.com] - 21 TCP 203.205.151.160:80 <-> 10.54.169.250:54885 [proto: 7.48/HTTP.QQ][3 pkts/983 bytes][Host: hkextshort.weixin.qq.com] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index 3cc919310..e781f27df 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -1,4 +1,4 @@ -Unknown 404 52712 16 +Unknown 381 48593 15 DNS 2 267 1 MDNS 8 1736 2 NTP 2 180 1 @@ -7,7 +7,7 @@ ICMP 8 656 1 IGMP 5 258 4 SSL 96 8876 7 Dropbox 38 17948 5 -Skype 1910 292610 244 +Skype 1933 296729 245 Apple 15 2045 2 AppleiCloud 88 20520 2 Spotify 5 430 1 @@ -144,152 +144,153 @@ MS_OneDrive 387 198090 1 129 TCP 192.168.1.34:50087 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][12 pkts/1107 bytes] 130 UDP 76.185.207.12:45493 <-> 192.168.1.34:13021 [proto: 125/Skype][5 pkts/300 bytes] 131 TCP 192.168.1.34:50137 <-> 5.248.186.221:31010 [proto: 125/Skype][18 pkts/1445 bytes] - 132 UDP 192.168.1.34:13021 <-> 111.221.77.142:40023 [proto: 125/Skype][1 pkts/72 bytes] - 133 UDP 192.168.1.34:13021 <-> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/71 bytes] - 134 UDP 111.221.74.24:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 135 UDP 111.221.74.19:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/68 bytes] - 136 UDP 111.221.74.12:40031 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/75 bytes] - 137 UDP 192.168.1.34:13021 <-> 111.221.74.44:40031 [proto: 125/Skype][1 pkts/71 bytes] - 138 UDP 192.168.1.34:13021 <-> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/76 bytes] - 139 UDP 111.221.74.32:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 140 UDP 111.221.74.31:40021 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/73 bytes] - 141 UDP 192.168.1.34:13021 <-> 111.221.77.140:40003 [proto: 125/Skype][1 pkts/64 bytes] - 142 UDP 192.168.1.34:13021 <-> 111.221.77.145:40027 [proto: 125/Skype][1 pkts/77 bytes] - 143 UDP 192.168.1.34:13021 <-> 111.221.77.151:40027 [proto: 125/Skype][1 pkts/76 bytes] - 144 UDP 192.168.1.34:13021 <-> 111.221.77.148:40029 [proto: 125/Skype][1 pkts/69 bytes] - 145 UDP 192.168.1.34:13021 <-> 111.221.77.168:40007 [proto: 125/Skype][1 pkts/68 bytes] - 146 UDP 192.168.1.34:13021 <-> 111.221.77.166:40011 [proto: 125/Skype][1 pkts/77 bytes] - 147 UDP 192.168.1.34:13021 <-> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/67 bytes] - 148 UDP 192.168.1.34:13021 <-> 111.221.77.159:40009 [proto: 125/Skype][1 pkts/78 bytes] - 149 TCP 192.168.1.34:50109 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/483 bytes] - 150 TCP 192.168.1.34:50125 <-> 91.190.218.125:12350 [proto: 125/Skype][10 pkts/769 bytes] - 151 TCP 192.168.1.34:50129 <-> 91.190.218.125:12350 [proto: 125/Skype][10 pkts/599 bytes] - 152 TCP 192.168.1.34:50136 <-> 71.238.7.203:18767 [proto: 125/Skype][14 pkts/1101 bytes] - 153 UDP 192.168.1.34:13021 <-> 176.97.100.249:26635 [proto: 125/Skype][1 pkts/60 bytes] - 154 UDP 192.168.1.34:13021 <-> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/66 bytes] - 155 UDP 192.168.1.34:13021 <-> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes] - 156 UDP 192.168.1.34:13021 <-> 157.55.56.146:33033 [proto: 125/Skype][1 pkts/70 bytes] - 157 TCP 76.167.161.6:20274 <-> 192.168.1.34:50112 [proto: 125/Skype][15 pkts/1254 bytes] - 158 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][387 pkts/198090 bytes][server: *.gateway.messenger.live.com] - 159 TCP 192.168.1.34:50036 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][14 pkts/1328 bytes] - 160 TCP 192.168.1.34:50037 <-> 157.55.56.170:443 [proto: 91.125/SSL.Skype][15 pkts/1569 bytes] - 161 TCP 192.168.1.34:50045 <-> 157.55.130.167:443 [proto: 91.125/SSL.Skype][15 pkts/1411 bytes] - 162 TCP 192.168.1.34:50051 <-> 157.55.130.166:443 [proto: 91.125/SSL.Skype][15 pkts/1351 bytes] - 163 TCP 192.168.1.34:50057 <-> 157.55.130.153:443 [proto: 91.125/SSL.Skype][15 pkts/1349 bytes] - 164 TCP 192.168.1.34:50069 <-> 157.55.56.160:443 [proto: 91.125/SSL.Skype][15 pkts/1401 bytes] - 165 TCP 192.168.1.34:50081 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][15 pkts/1513 bytes] - 166 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][16 pkts/1754 bytes] - 167 TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/SSL.Skype][15 pkts/1590 bytes] - 168 TCP 192.168.1.34:50146 <-> 157.56.53.51:443 [proto: 91/SSL][8 pkts/608 bytes] - 169 UDP 192.168.1.34:13021 <-> 157.55.130.160:40029 [proto: 125/Skype][1 pkts/67 bytes] - 170 UDP 192.168.1.34:13021 <-> 157.55.130.154:40005 [proto: 125/Skype][1 pkts/79 bytes] - 171 UDP 192.168.1.34:13021 <-> 157.56.52.45:40012 [proto: 125/Skype][1 pkts/67 bytes] - 172 UDP 157.56.52.21:40004 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 173 UDP 157.56.52.26:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 174 UDP 192.168.1.34:13021 <-> 157.56.52.37:40032 [proto: 125/Skype][1 pkts/69 bytes] - 175 UDP 192.168.1.34:13021 <-> 157.55.235.142:40025 [proto: 125/Skype][1 pkts/70 bytes] - 176 UDP 192.168.1.34:13021 <-> 157.55.56.142:40023 [proto: 125/Skype][1 pkts/77 bytes] - 177 UDP 192.168.1.34:13021 <-> 157.55.235.152:40001 [proto: 125/Skype][1 pkts/79 bytes] - 178 UDP 192.168.1.34:13021 <-> 157.55.56.151:40027 [proto: 125/Skype][1 pkts/77 bytes] - 179 UDP 192.168.1.34:13021 <-> 157.55.56.145:40027 [proto: 125/Skype][1 pkts/68 bytes] - 180 UDP 192.168.1.34:13021 <-> 157.55.130.143:40017 [proto: 125/Skype][1 pkts/77 bytes] - 181 UDP 192.168.1.34:13021 <-> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/64 bytes] - 182 UDP 192.168.1.34:13021 <-> 157.55.130.147:40019 [proto: 125/Skype][1 pkts/76 bytes] - 183 UDP 192.168.1.34:13021 <-> 157.55.130.151:40017 [proto: 125/Skype][1 pkts/72 bytes] - 184 UDP 192.168.1.34:13021 <-> 157.55.235.153:40023 [proto: 125/Skype][1 pkts/73 bytes] - 185 UDP 192.168.1.34:13021 <-> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/67 bytes] - 186 UDP 192.168.1.34:13021 <-> 157.55.235.155:40003 [proto: 125/Skype][1 pkts/77 bytes] - 187 UDP 192.168.1.34:13021 <-> 157.55.235.158:40031 [proto: 125/Skype][1 pkts/64 bytes] - 188 UDP 192.168.1.34:13021 <-> 157.55.235.159:40021 [proto: 125/Skype][1 pkts/64 bytes] - 189 UDP 192.168.1.34:13021 <-> 157.55.56.175:40013 [proto: 125/Skype][1 pkts/77 bytes] - 190 UDP 192.168.1.34:13021 <-> 157.55.235.161:40011 [proto: 125/Skype][1 pkts/78 bytes] - 191 UDP 192.168.1.34:13021 <-> 157.55.235.160:40027 [proto: 125/Skype][1 pkts/69 bytes] - 192 UDP 192.168.1.34:13021 <-> 157.55.130.172:40019 [proto: 125/Skype][1 pkts/67 bytes] - 193 UDP 192.168.1.34:13021 <-> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/69 bytes] - 194 UDP 192.168.1.1:53 <-> 192.168.1.34:49360 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 195 TCP 149.13.32.15:13392 <-> 192.168.1.34:50132 [proto: 125/Skype][18 pkts/1412 bytes] - 196 UDP 192.168.1.92:57621 <-> 192.168.1.255:57621 [proto: 156/Spotify][5 pkts/430 bytes] - 197 UDP 192.168.1.1:53 <-> 192.168.1.34:49990 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] - 198 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] - 199 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] - 200 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/67 bytes] - 201 UDP 192.168.1.1:53 <-> 192.168.1.34:51802 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 202 UDP 192.168.1.1:53 <-> 192.168.1.34:52714 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 203 UDP 192.168.1.1:53 <-> 192.168.1.34:52850 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] - 204 UDP 192.168.1.1:53 <-> 192.168.1.34:52742 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] - 205 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/SSL][16 pkts/1592 bytes] - 206 TCP 192.168.1.34:50079 <-> 213.199.179.142:443 [proto: 91/SSL][16 pkts/1376 bytes] - 207 UDP 192.168.1.1:53 <-> 192.168.1.34:54396 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] - 208 TCP 192.168.1.34:50099 <-> 64.4.23.166:40022 [proto: 125/Skype][16 pkts/1355 bytes] - 209 TCP 65.55.223.33:40002 <-> 192.168.1.34:50026 [proto: 125/Skype][17 pkts/1370 bytes] - 210 TCP 65.55.223.12:40031 <-> 192.168.1.34:50065 [proto: 125/Skype][17 pkts/1401 bytes] - 211 TCP 65.55.223.15:40026 <-> 192.168.1.34:50098 [proto: 125/Skype][17 pkts/1381 bytes] - 212 UDP 192.168.1.1:53 <-> 192.168.1.34:57288 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] - 213 UDP 192.168.1.1:53 <-> 192.168.1.34:57406 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 214 UDP 192.168.1.1:53 <-> 192.168.1.34:57726 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 215 UDP 192.168.1.34:13021 <-> 213.199.179.165:40007 [proto: 125/Skype][1 pkts/74 bytes] - 216 UDP 192.168.1.34:13021 <-> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/75 bytes] - 217 UDP 192.168.1.34:13021 <-> 213.199.179.162:40029 [proto: 125/Skype][1 pkts/70 bytes] - 218 UDP 192.168.1.34:13021 <-> 213.199.179.152:40023 [proto: 125/Skype][1 pkts/64 bytes] - 219 UDP 192.168.1.34:13021 <-> 213.199.179.145:40027 [proto: 125/Skype][1 pkts/66 bytes] - 220 UDP 192.168.1.34:13021 <-> 213.199.179.170:40011 [proto: 125/Skype][1 pkts/71 bytes] - 221 UDP 192.168.1.1:53 <-> 192.168.1.34:58458 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 222 UDP 192.168.1.1:53 <-> 192.168.1.34:58368 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] - 223 UDP 192.168.1.1:53 <-> 192.168.1.34:60288 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 224 ICMP 192.168.1.1:0 <-> 192.168.1.34:0 [proto: 81/ICMP][8 pkts/656 bytes] - 225 UDP 192.168.1.1:53 <-> 192.168.1.34:62454 [proto: 5.143/DNS.AppleiCloud][2 pkts/234 bytes][Host: p05-keyvalueservice.icloud.com.akadns.net] - 226 UDP 192.168.1.1:53 <-> 192.168.1.34:63108 [proto: 5.125/DNS.Skype][7 pkts/651 bytes][Host: a.config.skype.trafficmanager.net] - 227 UDP 192.168.1.92:50084 <-> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/7281 bytes] - 228 UDP 192.168.1.34:51066 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] - 229 UDP 192.168.1.1:53 <-> 192.168.1.34:65426 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] - 230 TCP 192.168.1.34:50130 <-> 212.161.8.36:13392 [proto: 125/Skype][17 pkts/1380 bytes] - 231 TCP 192.168.1.34:50059 <-> 111.221.74.38:40015 [proto: 125/Skype][16 pkts/1236 bytes] - 232 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][17 pkts/3535 bytes][client: apps.skype.com] - 233 IGMP 224.0.0.1:0 <-> 192.168.0.254:0 [proto: 82/IGMP][2 pkts/92 bytes] - 234 IGMP 224.0.0.1:0 <-> 192.168.1.1:0 [proto: 82/IGMP][1 pkts/60 bytes] - 235 IGMP 192.168.1.92:0 <-> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes] - 236 IGMP 192.168.1.34:0 <-> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/46 bytes] - 237 UDP 192.168.1.34:56886 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] - 238 TCP 192.168.1.34:50033 <-> 157.55.56.170:40015 [proto: 125/Skype][17 pkts/1361 bytes] - 239 TCP 157.56.52.28:40009 <-> 192.168.1.34:50108 [proto: 125/Skype][472 pkts/164627 bytes] - 240 TCP 192.168.1.34:50049 <-> 157.55.130.166:40021 [proto: 125/Skype][16 pkts/1278 bytes] - 241 TCP 192.168.1.34:50067 <-> 157.55.56.160:40027 [proto: 125/Skype][17 pkts/1305 bytes] - 242 TCP 192.168.1.34:50070 <-> 157.55.130.170:40018 [proto: 125/Skype][17 pkts/1312 bytes] - 243 TCP 192.168.1.34:50076 <-> 157.55.235.156:40014 [proto: 125/Skype][18 pkts/1442 bytes] - 244 TCP 192.168.1.34:50092 <-> 157.55.130.155:40020 [proto: 125/Skype][17 pkts/1387 bytes] - 245 UDP 192.168.1.34:64560 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] - 246 UDP 192.168.1.34:13021 <-> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes] - 247 TCP 86.31.35.30:59621 <-> 192.168.1.34:50115 [proto: 125/Skype][17 pkts/1386 bytes] - 248 TCP 192.168.1.34:50103 <-> 64.4.23.166:443 [proto: 91/SSL][12 pkts/1147 bytes] - 249 TCP 65.55.223.33:443 <-> 192.168.1.34:50030 [proto: 91/SSL][15 pkts/1311 bytes] - 250 TCP 65.55.223.12:443 <-> 192.168.1.34:50066 [proto: 91/SSL][15 pkts/1452 bytes] - 251 TCP 65.55.223.15:443 <-> 192.168.1.34:50102 [proto: 91/SSL][14 pkts/1390 bytes] - 252 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][79 pkts/29479 bytes] - 253 UDP 192.168.1.34:13021 <-> 71.62.0.85:33647 [proto: 125/Skype][1 pkts/60 bytes] - 254 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][4 pkts/828 bytes] - 255 UDP 192.168.1.34:13021 <-> 64.4.23.159:40009 [proto: 125/Skype][1 pkts/70 bytes] - 256 UDP 192.168.1.34:13021 <-> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/72 bytes] - 257 UDP 192.168.1.34:13021 <-> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/68 bytes] - 258 UDP 192.168.1.34:13021 <-> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/66 bytes] - 259 UDP 65.55.223.15:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] - 260 UDP 192.168.1.34:13021 <-> 65.55.223.43:40002 [proto: 125/Skype][1 pkts/76 bytes] - 261 UDP 65.55.223.17:40022 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 262 UDP 65.55.223.25:40028 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] - 263 UDP 65.55.223.24:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 264 UDP 65.55.223.28:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 265 UDP 65.55.223.26:40004 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/79 bytes] - 266 UDP 65.55.223.29:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 267 UDP 192.168.1.34:13021 <-> 65.55.223.45:40012 [proto: 125/Skype][1 pkts/71 bytes] - 268 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][2 pkts/180 bytes] - 269 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][20 pkts/1516 bytes] - 270 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125/Skype][18 pkts/1506 bytes] - 271 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125/Skype][15 pkts/1237 bytes] - 272 TCP 192.168.1.34:49445 <-> 108.160.170.46:443 [proto: 91.121/SSL.Dropbox][16 pkts/5980 bytes] - 273 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 91.125/SSL.Skype][14 pkts/1208 bytes] - 274 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 91.125/SSL.Skype][13 pkts/1109 bytes] - 275 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125/Skype][17 pkts/1304 bytes] - 276 TCP 192.168.1.34:50075 <-> 213.199.179.142:40003 [proto: 125/Skype][19 pkts/1495 bytes] - 277 UDP [fe80::c62c:3ff:fe06:49fe]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][4 pkts/908 bytes] + 132 TCP 192.168.1.34:50139 <-> 5.248.186.221:31010 [proto: 125/Skype][23 pkts/4119 bytes] + 133 UDP 192.168.1.34:13021 <-> 111.221.77.142:40023 [proto: 125/Skype][1 pkts/72 bytes] + 134 UDP 192.168.1.34:13021 <-> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/71 bytes] + 135 UDP 111.221.74.24:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] + 136 UDP 111.221.74.19:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/68 bytes] + 137 UDP 111.221.74.12:40031 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/75 bytes] + 138 UDP 192.168.1.34:13021 <-> 111.221.74.44:40031 [proto: 125/Skype][1 pkts/71 bytes] + 139 UDP 192.168.1.34:13021 <-> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/76 bytes] + 140 UDP 111.221.74.32:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 141 UDP 111.221.74.31:40021 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/73 bytes] + 142 UDP 192.168.1.34:13021 <-> 111.221.77.140:40003 [proto: 125/Skype][1 pkts/64 bytes] + 143 UDP 192.168.1.34:13021 <-> 111.221.77.145:40027 [proto: 125/Skype][1 pkts/77 bytes] + 144 UDP 192.168.1.34:13021 <-> 111.221.77.151:40027 [proto: 125/Skype][1 pkts/76 bytes] + 145 UDP 192.168.1.34:13021 <-> 111.221.77.148:40029 [proto: 125/Skype][1 pkts/69 bytes] + 146 UDP 192.168.1.34:13021 <-> 111.221.77.168:40007 [proto: 125/Skype][1 pkts/68 bytes] + 147 UDP 192.168.1.34:13021 <-> 111.221.77.166:40011 [proto: 125/Skype][1 pkts/77 bytes] + 148 UDP 192.168.1.34:13021 <-> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/67 bytes] + 149 UDP 192.168.1.34:13021 <-> 111.221.77.159:40009 [proto: 125/Skype][1 pkts/78 bytes] + 150 TCP 192.168.1.34:50109 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/483 bytes] + 151 TCP 192.168.1.34:50125 <-> 91.190.218.125:12350 [proto: 125/Skype][10 pkts/769 bytes] + 152 TCP 192.168.1.34:50129 <-> 91.190.218.125:12350 [proto: 125/Skype][10 pkts/599 bytes] + 153 TCP 192.168.1.34:50136 <-> 71.238.7.203:18767 [proto: 125/Skype][14 pkts/1101 bytes] + 154 UDP 192.168.1.34:13021 <-> 176.97.100.249:26635 [proto: 125/Skype][1 pkts/60 bytes] + 155 UDP 192.168.1.34:13021 <-> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/66 bytes] + 156 UDP 192.168.1.34:13021 <-> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes] + 157 UDP 192.168.1.34:13021 <-> 157.55.56.146:33033 [proto: 125/Skype][1 pkts/70 bytes] + 158 TCP 76.167.161.6:20274 <-> 192.168.1.34:50112 [proto: 125/Skype][15 pkts/1254 bytes] + 159 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][387 pkts/198090 bytes][server: *.gateway.messenger.live.com] + 160 TCP 192.168.1.34:50036 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][14 pkts/1328 bytes] + 161 TCP 192.168.1.34:50037 <-> 157.55.56.170:443 [proto: 91.125/SSL.Skype][15 pkts/1569 bytes] + 162 TCP 192.168.1.34:50045 <-> 157.55.130.167:443 [proto: 91.125/SSL.Skype][15 pkts/1411 bytes] + 163 TCP 192.168.1.34:50051 <-> 157.55.130.166:443 [proto: 91.125/SSL.Skype][15 pkts/1351 bytes] + 164 TCP 192.168.1.34:50057 <-> 157.55.130.153:443 [proto: 91.125/SSL.Skype][15 pkts/1349 bytes] + 165 TCP 192.168.1.34:50069 <-> 157.55.56.160:443 [proto: 91.125/SSL.Skype][15 pkts/1401 bytes] + 166 TCP 192.168.1.34:50081 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][15 pkts/1513 bytes] + 167 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][16 pkts/1754 bytes] + 168 TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/SSL.Skype][15 pkts/1590 bytes] + 169 TCP 192.168.1.34:50146 <-> 157.56.53.51:443 [proto: 91/SSL][8 pkts/608 bytes] + 170 UDP 192.168.1.34:13021 <-> 157.55.130.160:40029 [proto: 125/Skype][1 pkts/67 bytes] + 171 UDP 192.168.1.34:13021 <-> 157.55.130.154:40005 [proto: 125/Skype][1 pkts/79 bytes] + 172 UDP 192.168.1.34:13021 <-> 157.56.52.45:40012 [proto: 125/Skype][1 pkts/67 bytes] + 173 UDP 157.56.52.21:40004 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] + 174 UDP 157.56.52.26:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] + 175 UDP 192.168.1.34:13021 <-> 157.56.52.37:40032 [proto: 125/Skype][1 pkts/69 bytes] + 176 UDP 192.168.1.34:13021 <-> 157.55.235.142:40025 [proto: 125/Skype][1 pkts/70 bytes] + 177 UDP 192.168.1.34:13021 <-> 157.55.56.142:40023 [proto: 125/Skype][1 pkts/77 bytes] + 178 UDP 192.168.1.34:13021 <-> 157.55.235.152:40001 [proto: 125/Skype][1 pkts/79 bytes] + 179 UDP 192.168.1.34:13021 <-> 157.55.56.151:40027 [proto: 125/Skype][1 pkts/77 bytes] + 180 UDP 192.168.1.34:13021 <-> 157.55.56.145:40027 [proto: 125/Skype][1 pkts/68 bytes] + 181 UDP 192.168.1.34:13021 <-> 157.55.130.143:40017 [proto: 125/Skype][1 pkts/77 bytes] + 182 UDP 192.168.1.34:13021 <-> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/64 bytes] + 183 UDP 192.168.1.34:13021 <-> 157.55.130.147:40019 [proto: 125/Skype][1 pkts/76 bytes] + 184 UDP 192.168.1.34:13021 <-> 157.55.130.151:40017 [proto: 125/Skype][1 pkts/72 bytes] + 185 UDP 192.168.1.34:13021 <-> 157.55.235.153:40023 [proto: 125/Skype][1 pkts/73 bytes] + 186 UDP 192.168.1.34:13021 <-> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/67 bytes] + 187 UDP 192.168.1.34:13021 <-> 157.55.235.155:40003 [proto: 125/Skype][1 pkts/77 bytes] + 188 UDP 192.168.1.34:13021 <-> 157.55.235.158:40031 [proto: 125/Skype][1 pkts/64 bytes] + 189 UDP 192.168.1.34:13021 <-> 157.55.235.159:40021 [proto: 125/Skype][1 pkts/64 bytes] + 190 UDP 192.168.1.34:13021 <-> 157.55.56.175:40013 [proto: 125/Skype][1 pkts/77 bytes] + 191 UDP 192.168.1.34:13021 <-> 157.55.235.161:40011 [proto: 125/Skype][1 pkts/78 bytes] + 192 UDP 192.168.1.34:13021 <-> 157.55.235.160:40027 [proto: 125/Skype][1 pkts/69 bytes] + 193 UDP 192.168.1.34:13021 <-> 157.55.130.172:40019 [proto: 125/Skype][1 pkts/67 bytes] + 194 UDP 192.168.1.34:13021 <-> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/69 bytes] + 195 UDP 192.168.1.1:53 <-> 192.168.1.34:49360 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 196 TCP 149.13.32.15:13392 <-> 192.168.1.34:50132 [proto: 125/Skype][18 pkts/1412 bytes] + 197 UDP 192.168.1.92:57621 <-> 192.168.1.255:57621 [proto: 156/Spotify][5 pkts/430 bytes] + 198 UDP 192.168.1.1:53 <-> 192.168.1.34:49990 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] + 199 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes] + 200 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes] + 201 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/67 bytes] + 202 UDP 192.168.1.1:53 <-> 192.168.1.34:51802 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 203 UDP 192.168.1.1:53 <-> 192.168.1.34:52714 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 204 UDP 192.168.1.1:53 <-> 192.168.1.34:52850 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] + 205 UDP 192.168.1.1:53 <-> 192.168.1.34:52742 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] + 206 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/SSL][16 pkts/1592 bytes] + 207 TCP 192.168.1.34:50079 <-> 213.199.179.142:443 [proto: 91/SSL][16 pkts/1376 bytes] + 208 UDP 192.168.1.1:53 <-> 192.168.1.34:54396 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 209 TCP 192.168.1.34:50099 <-> 64.4.23.166:40022 [proto: 125/Skype][16 pkts/1355 bytes] + 210 TCP 65.55.223.33:40002 <-> 192.168.1.34:50026 [proto: 125/Skype][17 pkts/1370 bytes] + 211 TCP 65.55.223.12:40031 <-> 192.168.1.34:50065 [proto: 125/Skype][17 pkts/1401 bytes] + 212 TCP 65.55.223.15:40026 <-> 192.168.1.34:50098 [proto: 125/Skype][17 pkts/1381 bytes] + 213 UDP 192.168.1.1:53 <-> 192.168.1.34:57288 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] + 214 UDP 192.168.1.1:53 <-> 192.168.1.34:57406 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 215 UDP 192.168.1.1:53 <-> 192.168.1.34:57726 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 216 UDP 192.168.1.34:13021 <-> 213.199.179.165:40007 [proto: 125/Skype][1 pkts/74 bytes] + 217 UDP 192.168.1.34:13021 <-> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/75 bytes] + 218 UDP 192.168.1.34:13021 <-> 213.199.179.162:40029 [proto: 125/Skype][1 pkts/70 bytes] + 219 UDP 192.168.1.34:13021 <-> 213.199.179.152:40023 [proto: 125/Skype][1 pkts/64 bytes] + 220 UDP 192.168.1.34:13021 <-> 213.199.179.145:40027 [proto: 125/Skype][1 pkts/66 bytes] + 221 UDP 192.168.1.34:13021 <-> 213.199.179.170:40011 [proto: 125/Skype][1 pkts/71 bytes] + 222 UDP 192.168.1.1:53 <-> 192.168.1.34:58458 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 223 UDP 192.168.1.1:53 <-> 192.168.1.34:58368 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] + 224 UDP 192.168.1.1:53 <-> 192.168.1.34:60288 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 225 ICMP 192.168.1.1:0 <-> 192.168.1.34:0 [proto: 81/ICMP][8 pkts/656 bytes] + 226 UDP 192.168.1.1:53 <-> 192.168.1.34:62454 [proto: 5.143/DNS.AppleiCloud][2 pkts/234 bytes][Host: p05-keyvalueservice.icloud.com.akadns.net] + 227 UDP 192.168.1.1:53 <-> 192.168.1.34:63108 [proto: 5.125/DNS.Skype][7 pkts/651 bytes][Host: a.config.skype.trafficmanager.net] + 228 UDP 192.168.1.92:50084 <-> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/7281 bytes] + 229 UDP 192.168.1.34:51066 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] + 230 UDP 192.168.1.1:53 <-> 192.168.1.34:65426 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 231 TCP 192.168.1.34:50130 <-> 212.161.8.36:13392 [proto: 125/Skype][17 pkts/1380 bytes] + 232 TCP 192.168.1.34:50059 <-> 111.221.74.38:40015 [proto: 125/Skype][16 pkts/1236 bytes] + 233 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][17 pkts/3535 bytes][client: apps.skype.com] + 234 IGMP 224.0.0.1:0 <-> 192.168.0.254:0 [proto: 82/IGMP][2 pkts/92 bytes] + 235 IGMP 224.0.0.1:0 <-> 192.168.1.1:0 [proto: 82/IGMP][1 pkts/60 bytes] + 236 IGMP 192.168.1.92:0 <-> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes] + 237 IGMP 192.168.1.34:0 <-> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/46 bytes] + 238 UDP 192.168.1.34:56886 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] + 239 TCP 192.168.1.34:50033 <-> 157.55.56.170:40015 [proto: 125/Skype][17 pkts/1361 bytes] + 240 TCP 157.56.52.28:40009 <-> 192.168.1.34:50108 [proto: 125/Skype][472 pkts/164627 bytes] + 241 TCP 192.168.1.34:50049 <-> 157.55.130.166:40021 [proto: 125/Skype][16 pkts/1278 bytes] + 242 TCP 192.168.1.34:50067 <-> 157.55.56.160:40027 [proto: 125/Skype][17 pkts/1305 bytes] + 243 TCP 192.168.1.34:50070 <-> 157.55.130.170:40018 [proto: 125/Skype][17 pkts/1312 bytes] + 244 TCP 192.168.1.34:50076 <-> 157.55.235.156:40014 [proto: 125/Skype][18 pkts/1442 bytes] + 245 TCP 192.168.1.34:50092 <-> 157.55.130.155:40020 [proto: 125/Skype][17 pkts/1387 bytes] + 246 UDP 192.168.1.34:64560 <-> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes] + 247 UDP 192.168.1.34:13021 <-> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes] + 248 TCP 86.31.35.30:59621 <-> 192.168.1.34:50115 [proto: 125/Skype][17 pkts/1386 bytes] + 249 TCP 192.168.1.34:50103 <-> 64.4.23.166:443 [proto: 91/SSL][12 pkts/1147 bytes] + 250 TCP 65.55.223.33:443 <-> 192.168.1.34:50030 [proto: 91/SSL][15 pkts/1311 bytes] + 251 TCP 65.55.223.12:443 <-> 192.168.1.34:50066 [proto: 91/SSL][15 pkts/1452 bytes] + 252 TCP 65.55.223.15:443 <-> 192.168.1.34:50102 [proto: 91/SSL][14 pkts/1390 bytes] + 253 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][79 pkts/29479 bytes] + 254 UDP 192.168.1.34:13021 <-> 71.62.0.85:33647 [proto: 125/Skype][1 pkts/60 bytes] + 255 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][4 pkts/828 bytes] + 256 UDP 192.168.1.34:13021 <-> 64.4.23.159:40009 [proto: 125/Skype][1 pkts/70 bytes] + 257 UDP 192.168.1.34:13021 <-> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/72 bytes] + 258 UDP 192.168.1.34:13021 <-> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/68 bytes] + 259 UDP 192.168.1.34:13021 <-> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/66 bytes] + 260 UDP 65.55.223.15:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] + 261 UDP 192.168.1.34:13021 <-> 65.55.223.43:40002 [proto: 125/Skype][1 pkts/76 bytes] + 262 UDP 65.55.223.17:40022 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 263 UDP 65.55.223.25:40028 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] + 264 UDP 65.55.223.24:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] + 265 UDP 65.55.223.28:40026 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] + 266 UDP 65.55.223.26:40004 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/79 bytes] + 267 UDP 65.55.223.29:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 268 UDP 192.168.1.34:13021 <-> 65.55.223.45:40012 [proto: 125/Skype][1 pkts/71 bytes] + 269 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][2 pkts/180 bytes] + 270 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][20 pkts/1516 bytes] + 271 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125/Skype][18 pkts/1506 bytes] + 272 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125/Skype][15 pkts/1237 bytes] + 273 TCP 192.168.1.34:49445 <-> 108.160.170.46:443 [proto: 91.121/SSL.Dropbox][16 pkts/5980 bytes] + 274 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 91.125/SSL.Skype][14 pkts/1208 bytes] + 275 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 91.125/SSL.Skype][13 pkts/1109 bytes] + 276 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125/Skype][17 pkts/1304 bytes] + 277 TCP 192.168.1.34:50075 <-> 213.199.179.142:40003 [proto: 125/Skype][19 pkts/1495 bytes] + 278 UDP [fe80::c62c:3ff:fe06:49fe]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][4 pkts/908 bytes] Undetected flows: @@ -301,11 +302,10 @@ Undetected flows: 6 TCP 192.168.1.34:50124 <-> 81.133.19.185:44431 [proto: 0/Unknown][22 pkts/1636 bytes] 7 TCP 192.168.1.34:50131 <-> 212.161.8.36:13392 [proto: 0/Unknown][19 pkts/5111 bytes] 8 TCP 192.168.1.34:50142 <-> 80.14.46.121:4415 [proto: 0/Unknown][18 pkts/1474 bytes] - 9 TCP 192.168.1.34:50139 <-> 5.248.186.221:31010 [proto: 0/Unknown][23 pkts/4119 bytes] - 10 TCP 192.168.1.34:50138 <-> 71.238.7.203:18767 [proto: 0/Unknown][32 pkts/4972 bytes] - 11 TCP 192.168.1.34:50121 <-> 81.83.77.141:17639 [proto: 0/Unknown][40 pkts/5609 bytes] - 12 TCP 76.167.161.6:20274 <-> 192.168.1.34:50140 [proto: 0/Unknown][3 pkts/206 bytes] - 13 TCP 192.168.1.34:50144 <-> 78.202.226.115:29059 [proto: 0/Unknown][14 pkts/1139 bytes] - 14 TCP 192.168.1.34:50145 <-> 157.56.53.51:12350 [proto: 0/Unknown][8 pkts/608 bytes] - 15 TCP 86.31.35.30:59621 <-> 192.168.1.34:50119 [proto: 0/Unknown][100 pkts/12266 bytes] - 16 TCP 192.168.1.34:50127 <-> 80.14.46.121:4415 [proto: 0/Unknown][27 pkts/2098 bytes] + 9 TCP 192.168.1.34:50138 <-> 71.238.7.203:18767 [proto: 0/Unknown][32 pkts/4972 bytes] + 10 TCP 192.168.1.34:50121 <-> 81.83.77.141:17639 [proto: 0/Unknown][40 pkts/5609 bytes] + 11 TCP 76.167.161.6:20274 <-> 192.168.1.34:50140 [proto: 0/Unknown][3 pkts/206 bytes] + 12 TCP 192.168.1.34:50144 <-> 78.202.226.115:29059 [proto: 0/Unknown][14 pkts/1139 bytes] + 13 TCP 192.168.1.34:50145 <-> 157.56.53.51:12350 [proto: 0/Unknown][8 pkts/608 bytes] + 14 TCP 86.31.35.30:59621 <-> 192.168.1.34:50119 [proto: 0/Unknown][100 pkts/12266 bytes] + 15 TCP 192.168.1.34:50127 <-> 80.14.46.121:4415 [proto: 0/Unknown][27 pkts/2098 bytes] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index a1e14bdea..e7cbd2a82 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -1,4 +1,4 @@ -Unknown 236 70600 14 +Unknown 216 66695 13 DNS 2 267 1 MDNS 3 400 2 NetBIOS 22 3106 7 @@ -7,7 +7,7 @@ ICMP 4 328 1 IGMP 4 226 4 SSL 79 7742 6 Dropbox 16 7342 5 -Skype 1241 181327 221 +Skype 1261 185232 222 Apple 84 20699 2 MS_OneDrive 348 181687 1 @@ -128,142 +128,143 @@ MS_OneDrive 348 181687 1 115 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][14 pkts/1253 bytes] 116 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/SSL.Skype][3 pkts/206 bytes] 117 TCP 192.168.1.34:51258 <-> 213.199.179.176:40021 [proto: 125/Skype][19 pkts/1496 bytes] - 118 UDP 192.168.1.34:13021 <-> 111.221.74.34:40027 [proto: 125/Skype][1 pkts/73 bytes] - 119 UDP 111.221.74.33:40011 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] - 120 UDP 111.221.74.13:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] - 121 UDP 111.221.74.27:40027 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 122 UDP 111.221.74.20:40033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 123 UDP 111.221.74.19:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/73 bytes] - 124 UDP 192.168.1.34:13021 <-> 111.221.74.44:40019 [proto: 125/Skype][1 pkts/70 bytes] - 125 UDP 192.168.1.34:13021 <-> 111.221.74.38:40015 [proto: 125/Skype][1 pkts/64 bytes] - 126 UDP 192.168.1.34:13021 <-> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/67 bytes] - 127 UDP 192.168.1.34:13021 <-> 111.221.74.40:40025 [proto: 125/Skype][1 pkts/79 bytes] - 128 UDP 192.168.1.34:13021 <-> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/67 bytes] - 129 UDP 192.168.1.34:13021 <-> 111.221.77.159:40031 [proto: 125/Skype][1 pkts/72 bytes] - 130 UDP 192.168.1.34:13021 <-> 111.221.77.151:40029 [proto: 125/Skype][1 pkts/79 bytes] - 131 UDP 192.168.1.34:13021 <-> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/77 bytes] - 132 UDP 192.168.1.34:13021 <-> 111.221.77.170:40021 [proto: 125/Skype][1 pkts/78 bytes] - 133 UDP 192.168.1.34:13021 <-> 189.188.134.174:22436 [proto: 125/Skype][1 pkts/60 bytes] - 134 TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/377 bytes] - 135 TCP 91.190.216.24:12350 <-> 192.168.1.34:51297 [proto: 125/Skype][15 pkts/3532 bytes] - 136 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 125/Skype][11 pkts/659 bytes] - 137 UDP 192.168.1.34:13021 <-> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/76 bytes] - 138 UDP 192.168.1.34:13021 <-> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes] - 139 TCP 192.168.1.34:51291 <-> 81.83.77.141:17639 [proto: 125/Skype][15 pkts/1226 bytes] - 140 TCP 76.167.161.6:20274 <-> 192.168.1.34:51288 [proto: 125/Skype][15 pkts/1258 bytes] - 141 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][348 pkts/181687 bytes][server: *.gateway.messenger.live.com] - 142 TCP 157.56.52.28:443 <-> 192.168.1.34:51232 [proto: 125/Skype][13 pkts/1157 bytes] - 143 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][15 pkts/1584 bytes] - 144 TCP 192.168.1.34:51261 <-> 157.55.235.170:443 [proto: 91.125/SSL.Skype][15 pkts/1569 bytes] - 145 TCP 192.168.1.34:51281 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][15 pkts/1380 bytes] - 146 UDP 192.168.1.34:13021 <-> 174.49.171.224:32011 [proto: 125/Skype][5 pkts/300 bytes] - 147 UDP 192.168.1.34:13021 <-> 157.55.56.170:40015 [proto: 125/Skype][1 pkts/76 bytes] - 148 UDP 157.56.52.19:40020 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/68 bytes] - 149 UDP 157.56.52.16:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] - 150 UDP 157.56.52.25:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] - 151 UDP 157.56.52.24:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 152 UDP 192.168.1.34:13021 <-> 157.55.130.154:40013 [proto: 125/Skype][1 pkts/66 bytes] - 153 UDP 192.168.1.34:13021 <-> 157.55.130.150:40007 [proto: 125/Skype][1 pkts/71 bytes] - 154 UDP 192.168.1.34:13021 <-> 157.55.130.149:40011 [proto: 125/Skype][1 pkts/77 bytes] - 155 UDP 192.168.1.34:13021 <-> 157.55.56.142:40013 [proto: 125/Skype][1 pkts/72 bytes] - 156 UDP 157.56.52.33:40002 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] - 157 UDP 157.56.52.29:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] - 158 UDP 192.168.1.34:13021 <-> 157.55.56.140:40003 [proto: 125/Skype][1 pkts/76 bytes] - 159 UDP 192.168.1.34:13021 <-> 157.56.52.43:40006 [proto: 125/Skype][1 pkts/78 bytes] - 160 UDP 192.168.1.34:13021 <-> 157.55.130.140:40011 [proto: 125/Skype][1 pkts/72 bytes] - 161 UDP 192.168.1.34:13021 <-> 157.55.130.146:40033 [proto: 125/Skype][1 pkts/73 bytes] - 162 UDP 192.168.1.34:13021 <-> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/72 bytes] - 163 UDP 192.168.1.34:13021 <-> 157.55.235.148:40033 [proto: 125/Skype][1 pkts/75 bytes] - 164 UDP 192.168.1.34:13021 <-> 157.55.235.162:40033 [proto: 125/Skype][1 pkts/66 bytes] - 165 UDP 192.168.1.34:13021 <-> 157.55.130.156:40019 [proto: 125/Skype][1 pkts/64 bytes] - 166 UDP 192.168.1.34:13021 <-> 157.55.235.155:40027 [proto: 125/Skype][1 pkts/74 bytes] - 167 UDP 192.168.1.34:13021 <-> 157.55.56.161:40031 [proto: 125/Skype][1 pkts/67 bytes] - 168 UDP 192.168.1.34:13021 <-> 157.55.235.158:40027 [proto: 125/Skype][1 pkts/73 bytes] - 169 UDP 192.168.1.34:13021 <-> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/64 bytes] - 170 UDP 192.168.1.34:13021 <-> 157.55.235.167:40029 [proto: 125/Skype][1 pkts/64 bytes] - 171 UDP 192.168.1.34:13021 <-> 157.55.130.167:40031 [proto: 125/Skype][1 pkts/79 bytes] - 172 UDP 192.168.1.34:13021 <-> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/67 bytes] - 173 UDP 192.168.1.34:13021 <-> 157.55.235.174:40019 [proto: 125/Skype][1 pkts/72 bytes] - 174 UDP 192.168.1.34:13021 <-> 157.55.130.173:40003 [proto: 125/Skype][1 pkts/72 bytes] - 175 UDP 192.168.1.34:13021 <-> 157.55.235.176:40031 [proto: 125/Skype][1 pkts/73 bytes] - 176 UDP 192.168.1.34:13021 <-> 157.55.235.175:40023 [proto: 125/Skype][1 pkts/74 bytes] - 177 UDP 192.168.1.1:53 <-> 192.168.1.34:49864 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] - 178 TCP 149.13.32.15:13392 <-> 192.168.1.34:51316 [proto: 125/Skype][14 pkts/1176 bytes] - 179 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] - 180 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] - 181 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/75 bytes] - 182 UDP 192.168.1.1:53 <-> 192.168.1.34:53372 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] - 183 UDP 192.168.1.92:53826 <-> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] - 184 TCP 192.168.1.34:51271 <-> 213.199.179.175:443 [proto: 91/SSL][15 pkts/1415 bytes] - 185 UDP 192.168.1.1:53 <-> 192.168.1.34:55028 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: a.config.skype.com] - 186 TCP 192.168.1.34:51278 <-> 64.4.23.159:40009 [proto: 125/Skype][15 pkts/1219 bytes] - 187 TCP 192.168.1.34:51235 <-> 65.55.223.45:40009 [proto: 125/Skype][17 pkts/1341 bytes] - 188 UDP 192.168.1.1:53 <-> 192.168.1.34:55866 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] - 189 UDP 192.168.1.1:53 <-> 192.168.1.34:57592 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] - 190 UDP 192.168.1.1:53 <-> 192.168.1.34:57694 [proto: 5/DNS][2 pkts/267 bytes][Host: db3msgr5011709.gateway.messenger.live.com] - 191 UDP 192.168.1.34:13021 <-> 213.199.179.173:40013 [proto: 125/Skype][1 pkts/72 bytes] - 192 UDP 192.168.1.34:13021 <-> 213.199.179.140:40003 [proto: 125/Skype][1 pkts/70 bytes] - 193 UDP 192.168.1.34:13021 <-> 213.199.179.154:40017 [proto: 125/Skype][1 pkts/78 bytes] - 194 UDP 192.168.1.34:13021 <-> 213.199.179.144:40009 [proto: 125/Skype][1 pkts/69 bytes] - 195 UDP 192.168.1.34:13021 <-> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/79 bytes] - 196 UDP 192.168.1.34:13021 <-> 213.199.179.156:40031 [proto: 125/Skype][1 pkts/79 bytes] - 197 UDP 192.168.1.34:13021 <-> 213.199.179.172:40011 [proto: 125/Skype][1 pkts/76 bytes] - 198 UDP 192.168.1.34:13021 <-> 213.199.179.174:40025 [proto: 125/Skype][1 pkts/71 bytes] - 199 TCP 192.168.1.34:51298 <-> 82.224.110.241:38895 [proto: 125/Skype][14 pkts/1150 bytes] - 200 UDP 192.168.1.1:53 <-> 192.168.1.34:59788 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] - 201 UDP 192.168.1.1:53 <-> 192.168.1.34:60688 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] - 202 UDP 192.168.1.1:53 <-> 192.168.1.34:61016 [proto: 5.125/DNS.Skype][1 pkts/80 bytes][Host: apps.skypeassets.com] - 203 ICMP 192.168.1.1:0 <-> 192.168.1.34:0 [proto: 81/ICMP][4 pkts/328 bytes] - 204 UDP 192.168.1.1:53 <-> 192.168.1.34:63342 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 205 UDP 192.168.1.1:53 <-> 192.168.1.34:63514 [proto: 5.125/DNS.Skype][8 pkts/576 bytes][Host: ui.skype.com] - 206 UDP 192.168.1.1:53 <-> 192.168.1.34:64240 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] - 207 UDP 192.168.1.1:53 <-> 192.168.1.34:64258 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] - 208 UDP 192.168.1.1:53 <-> 192.168.1.34:64364 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] - 209 UDP 192.168.1.34:137 <-> 192.168.1.255:137 [proto: 10/NetBIOS][7 pkts/680 bytes] - 210 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][8 pkts/1142 bytes] - 211 UDP 192.168.1.1:138 <-> 192.168.1.34:138 [proto: 10/NetBIOS][2 pkts/452 bytes] - 212 UDP 192.168.1.34:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][2 pkts/432 bytes] - 213 UDP 192.168.1.92:137 <-> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] - 214 UDP 192.168.1.92:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/216 bytes] - 215 TCP 192.168.1.34:51318 <-> 212.161.8.36:13392 [proto: 125/Skype][10 pkts/857 bytes] - 216 TCP 192.168.1.34:51236 <-> 111.221.74.45:40008 [proto: 125/Skype][16 pkts/1257 bytes] - 217 TCP 111.221.74.18:40025 <-> 192.168.1.34:51267 [proto: 125/Skype][14 pkts/1163 bytes] - 218 TCP 192.168.1.34:51248 <-> 111.221.77.175:40030 [proto: 125/Skype][16 pkts/1284 bytes] - 219 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][76 pkts/19581 bytes] - 220 IGMP 224.0.0.22:0 <-> 192.168.1.219:0 [proto: 82/IGMP][1 pkts/60 bytes] - 221 IGMP 224.0.0.1:0 <-> 192.168.0.254:0 [proto: 82/IGMP][1 pkts/46 bytes] - 222 IGMP 192.168.1.229:0 <-> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes] - 223 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][17 pkts/3535 bytes][client: apps.skype.com] - 224 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][12 pkts/2148 bytes][client: apps.skype.com] - 225 UDP 192.168.1.34:13021 <-> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes] - 226 TCP 192.168.1.34:51255 <-> 157.55.130.142:40005 [proto: 125/Skype][17 pkts/1322 bytes] - 227 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][36 pkts/13402 bytes] - 228 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][14 pkts/1432 bytes] - 229 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes][Lucas-iMac.local] - 230 UDP 192.168.1.34:13021 <-> 64.4.23.145:40027 [proto: 125/Skype][1 pkts/73 bytes] - 231 UDP 192.168.1.34:13021 <-> 64.4.23.142:40023 [proto: 125/Skype][1 pkts/72 bytes] - 232 UDP 192.168.1.34:13021 <-> 64.4.23.140:40003 [proto: 125/Skype][1 pkts/67 bytes] - 233 TCP 192.168.1.34:51308 <-> 80.121.84.93:443 [proto: 91/SSL][6 pkts/468 bytes] - 234 UDP 192.168.1.34:13021 <-> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/76 bytes] - 235 UDP 192.168.1.34:13021 <-> 64.4.23.148:40029 [proto: 125/Skype][1 pkts/79 bytes] - 236 UDP 192.168.1.34:13021 <-> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/69 bytes] - 237 UDP 192.168.1.34:13021 <-> 64.4.23.171:40031 [proto: 125/Skype][1 pkts/79 bytes] - 238 UDP 192.168.1.34:13021 <-> 64.4.23.158:40021 [proto: 125/Skype][1 pkts/76 bytes] - 239 UDP 192.168.1.34:13021 <-> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/66 bytes] - 240 UDP 192.168.1.34:13021 <-> 64.4.23.176:40001 [proto: 125/Skype][1 pkts/69 bytes] - 241 UDP 65.55.223.33:40002 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 242 UDP 65.55.223.32:40022 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 243 UDP 65.55.223.28:40014 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] - 244 UDP 65.55.223.16:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] - 245 UDP 65.55.223.15:40030 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] - 246 UDP 192.168.1.34:13021 <-> 65.55.223.44:40020 [proto: 125/Skype][1 pkts/76 bytes] - 247 UDP 192.168.1.34:13021 <-> 65.55.223.42:40024 [proto: 125/Skype][1 pkts/76 bytes] - 248 UDP 192.168.1.34:13021 <-> 65.55.223.43:40006 [proto: 125/Skype][1 pkts/77 bytes] - 249 UDP [fe80::c62c:3ff:fe06:49fe]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes] - 250 TCP 192.168.1.34:51240 <-> 111.221.74.45:443 [proto: 91.125/SSL.Skype][14 pkts/1373 bytes] - 251 TCP 111.221.74.18:443 <-> 192.168.1.34:51268 [proto: 125/Skype][14 pkts/1203 bytes] - 252 TCP 192.168.1.34:51250 <-> 111.221.77.175:443 [proto: 91.125/SSL.Skype][14 pkts/1363 bytes] - 253 TCP 192.168.1.34:51269 <-> 213.199.179.175:40029 [proto: 125/Skype][19 pkts/1491 bytes] + 118 TCP 192.168.1.34:51293 <-> 5.248.186.221:31010 [proto: 125/Skype][20 pkts/3905 bytes] + 119 UDP 192.168.1.34:13021 <-> 111.221.74.34:40027 [proto: 125/Skype][1 pkts/73 bytes] + 120 UDP 111.221.74.33:40011 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] + 121 UDP 111.221.74.13:40009 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/64 bytes] + 122 UDP 111.221.74.27:40027 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 123 UDP 111.221.74.20:40033 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 124 UDP 111.221.74.19:40001 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/73 bytes] + 125 UDP 192.168.1.34:13021 <-> 111.221.74.44:40019 [proto: 125/Skype][1 pkts/70 bytes] + 126 UDP 192.168.1.34:13021 <-> 111.221.74.38:40015 [proto: 125/Skype][1 pkts/64 bytes] + 127 UDP 192.168.1.34:13021 <-> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/67 bytes] + 128 UDP 192.168.1.34:13021 <-> 111.221.74.40:40025 [proto: 125/Skype][1 pkts/79 bytes] + 129 UDP 192.168.1.34:13021 <-> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/67 bytes] + 130 UDP 192.168.1.34:13021 <-> 111.221.77.159:40031 [proto: 125/Skype][1 pkts/72 bytes] + 131 UDP 192.168.1.34:13021 <-> 111.221.77.151:40029 [proto: 125/Skype][1 pkts/79 bytes] + 132 UDP 192.168.1.34:13021 <-> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/77 bytes] + 133 UDP 192.168.1.34:13021 <-> 111.221.77.170:40021 [proto: 125/Skype][1 pkts/78 bytes] + 134 UDP 192.168.1.34:13021 <-> 189.188.134.174:22436 [proto: 125/Skype][1 pkts/60 bytes] + 135 TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/377 bytes] + 136 TCP 91.190.216.24:12350 <-> 192.168.1.34:51297 [proto: 125/Skype][15 pkts/3532 bytes] + 137 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 125/Skype][11 pkts/659 bytes] + 138 UDP 192.168.1.34:13021 <-> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/76 bytes] + 139 UDP 192.168.1.34:13021 <-> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes] + 140 TCP 192.168.1.34:51291 <-> 81.83.77.141:17639 [proto: 125/Skype][15 pkts/1226 bytes] + 141 TCP 76.167.161.6:20274 <-> 192.168.1.34:51288 [proto: 125/Skype][15 pkts/1258 bytes] + 142 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][348 pkts/181687 bytes][server: *.gateway.messenger.live.com] + 143 TCP 157.56.52.28:443 <-> 192.168.1.34:51232 [proto: 125/Skype][13 pkts/1157 bytes] + 144 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][15 pkts/1584 bytes] + 145 TCP 192.168.1.34:51261 <-> 157.55.235.170:443 [proto: 91.125/SSL.Skype][15 pkts/1569 bytes] + 146 TCP 192.168.1.34:51281 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][15 pkts/1380 bytes] + 147 UDP 192.168.1.34:13021 <-> 174.49.171.224:32011 [proto: 125/Skype][5 pkts/300 bytes] + 148 UDP 192.168.1.34:13021 <-> 157.55.56.170:40015 [proto: 125/Skype][1 pkts/76 bytes] + 149 UDP 157.56.52.19:40020 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/68 bytes] + 150 UDP 157.56.52.16:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/66 bytes] + 151 UDP 157.56.52.25:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/76 bytes] + 152 UDP 157.56.52.24:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 153 UDP 192.168.1.34:13021 <-> 157.55.130.154:40013 [proto: 125/Skype][1 pkts/66 bytes] + 154 UDP 192.168.1.34:13021 <-> 157.55.130.150:40007 [proto: 125/Skype][1 pkts/71 bytes] + 155 UDP 192.168.1.34:13021 <-> 157.55.130.149:40011 [proto: 125/Skype][1 pkts/77 bytes] + 156 UDP 192.168.1.34:13021 <-> 157.55.56.142:40013 [proto: 125/Skype][1 pkts/72 bytes] + 157 UDP 157.56.52.33:40002 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/71 bytes] + 158 UDP 157.56.52.29:40010 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/67 bytes] + 159 UDP 192.168.1.34:13021 <-> 157.55.56.140:40003 [proto: 125/Skype][1 pkts/76 bytes] + 160 UDP 192.168.1.34:13021 <-> 157.56.52.43:40006 [proto: 125/Skype][1 pkts/78 bytes] + 161 UDP 192.168.1.34:13021 <-> 157.55.130.140:40011 [proto: 125/Skype][1 pkts/72 bytes] + 162 UDP 192.168.1.34:13021 <-> 157.55.130.146:40033 [proto: 125/Skype][1 pkts/73 bytes] + 163 UDP 192.168.1.34:13021 <-> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/72 bytes] + 164 UDP 192.168.1.34:13021 <-> 157.55.235.148:40033 [proto: 125/Skype][1 pkts/75 bytes] + 165 UDP 192.168.1.34:13021 <-> 157.55.235.162:40033 [proto: 125/Skype][1 pkts/66 bytes] + 166 UDP 192.168.1.34:13021 <-> 157.55.130.156:40019 [proto: 125/Skype][1 pkts/64 bytes] + 167 UDP 192.168.1.34:13021 <-> 157.55.235.155:40027 [proto: 125/Skype][1 pkts/74 bytes] + 168 UDP 192.168.1.34:13021 <-> 157.55.56.161:40031 [proto: 125/Skype][1 pkts/67 bytes] + 169 UDP 192.168.1.34:13021 <-> 157.55.235.158:40027 [proto: 125/Skype][1 pkts/73 bytes] + 170 UDP 192.168.1.34:13021 <-> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/64 bytes] + 171 UDP 192.168.1.34:13021 <-> 157.55.235.167:40029 [proto: 125/Skype][1 pkts/64 bytes] + 172 UDP 192.168.1.34:13021 <-> 157.55.130.167:40031 [proto: 125/Skype][1 pkts/79 bytes] + 173 UDP 192.168.1.34:13021 <-> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/67 bytes] + 174 UDP 192.168.1.34:13021 <-> 157.55.235.174:40019 [proto: 125/Skype][1 pkts/72 bytes] + 175 UDP 192.168.1.34:13021 <-> 157.55.130.173:40003 [proto: 125/Skype][1 pkts/72 bytes] + 176 UDP 192.168.1.34:13021 <-> 157.55.235.176:40031 [proto: 125/Skype][1 pkts/73 bytes] + 177 UDP 192.168.1.34:13021 <-> 157.55.235.175:40023 [proto: 125/Skype][1 pkts/74 bytes] + 178 UDP 192.168.1.1:53 <-> 192.168.1.34:49864 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 179 TCP 149.13.32.15:13392 <-> 192.168.1.34:51316 [proto: 125/Skype][14 pkts/1176 bytes] + 180 UDP 192.168.1.34:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] + 181 UDP 192.168.1.92:17500 <-> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes] + 182 UDP 192.168.1.34:13021 <-> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/75 bytes] + 183 UDP 192.168.1.1:53 <-> 192.168.1.34:53372 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] + 184 UDP 192.168.1.92:53826 <-> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] + 185 TCP 192.168.1.34:51271 <-> 213.199.179.175:443 [proto: 91/SSL][15 pkts/1415 bytes] + 186 UDP 192.168.1.1:53 <-> 192.168.1.34:55028 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: a.config.skype.com] + 187 TCP 192.168.1.34:51278 <-> 64.4.23.159:40009 [proto: 125/Skype][15 pkts/1219 bytes] + 188 TCP 192.168.1.34:51235 <-> 65.55.223.45:40009 [proto: 125/Skype][17 pkts/1341 bytes] + 189 UDP 192.168.1.1:53 <-> 192.168.1.34:55866 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: pipe.prd.skypedata.akadns.net] + 190 UDP 192.168.1.1:53 <-> 192.168.1.34:57592 [proto: 5.125/DNS.Skype][7 pkts/623 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] + 191 UDP 192.168.1.1:53 <-> 192.168.1.34:57694 [proto: 5/DNS][2 pkts/267 bytes][Host: db3msgr5011709.gateway.messenger.live.com] + 192 UDP 192.168.1.34:13021 <-> 213.199.179.173:40013 [proto: 125/Skype][1 pkts/72 bytes] + 193 UDP 192.168.1.34:13021 <-> 213.199.179.140:40003 [proto: 125/Skype][1 pkts/70 bytes] + 194 UDP 192.168.1.34:13021 <-> 213.199.179.154:40017 [proto: 125/Skype][1 pkts/78 bytes] + 195 UDP 192.168.1.34:13021 <-> 213.199.179.144:40009 [proto: 125/Skype][1 pkts/69 bytes] + 196 UDP 192.168.1.34:13021 <-> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/79 bytes] + 197 UDP 192.168.1.34:13021 <-> 213.199.179.156:40031 [proto: 125/Skype][1 pkts/79 bytes] + 198 UDP 192.168.1.34:13021 <-> 213.199.179.172:40011 [proto: 125/Skype][1 pkts/76 bytes] + 199 UDP 192.168.1.34:13021 <-> 213.199.179.174:40025 [proto: 125/Skype][1 pkts/71 bytes] + 200 TCP 192.168.1.34:51298 <-> 82.224.110.241:38895 [proto: 125/Skype][14 pkts/1150 bytes] + 201 UDP 192.168.1.1:53 <-> 192.168.1.34:59788 [proto: 5.125/DNS.Skype][2 pkts/180 bytes][Host: e4593.g.akamaiedge.net] + 202 UDP 192.168.1.1:53 <-> 192.168.1.34:60688 [proto: 5.125/DNS.Skype][8 pkts/648 bytes][Host: conn.skype.akadns.net] + 203 UDP 192.168.1.1:53 <-> 192.168.1.34:61016 [proto: 5.125/DNS.Skype][1 pkts/80 bytes][Host: apps.skypeassets.com] + 204 ICMP 192.168.1.1:0 <-> 192.168.1.34:0 [proto: 81/ICMP][4 pkts/328 bytes] + 205 UDP 192.168.1.1:53 <-> 192.168.1.34:63342 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 206 UDP 192.168.1.1:53 <-> 192.168.1.34:63514 [proto: 5.125/DNS.Skype][8 pkts/576 bytes][Host: ui.skype.com] + 207 UDP 192.168.1.1:53 <-> 192.168.1.34:64240 [proto: 5.125/DNS.Skype][7 pkts/511 bytes][Host: api.skype.com] + 208 UDP 192.168.1.1:53 <-> 192.168.1.34:64258 [proto: 5.125/DNS.Skype][7 pkts/546 bytes][Host: b.config.skype.com] + 209 UDP 192.168.1.1:53 <-> 192.168.1.34:64364 [proto: 5.125/DNS.Skype][7 pkts/616 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] + 210 UDP 192.168.1.34:137 <-> 192.168.1.255:137 [proto: 10/NetBIOS][7 pkts/680 bytes] + 211 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][8 pkts/1142 bytes] + 212 UDP 192.168.1.1:138 <-> 192.168.1.34:138 [proto: 10/NetBIOS][2 pkts/452 bytes] + 213 UDP 192.168.1.34:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][2 pkts/432 bytes] + 214 UDP 192.168.1.92:137 <-> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes] + 215 UDP 192.168.1.92:138 <-> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/216 bytes] + 216 TCP 192.168.1.34:51318 <-> 212.161.8.36:13392 [proto: 125/Skype][10 pkts/857 bytes] + 217 TCP 192.168.1.34:51236 <-> 111.221.74.45:40008 [proto: 125/Skype][16 pkts/1257 bytes] + 218 TCP 111.221.74.18:40025 <-> 192.168.1.34:51267 [proto: 125/Skype][14 pkts/1163 bytes] + 219 TCP 192.168.1.34:51248 <-> 111.221.77.175:40030 [proto: 125/Skype][16 pkts/1284 bytes] + 220 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][76 pkts/19581 bytes] + 221 IGMP 224.0.0.22:0 <-> 192.168.1.219:0 [proto: 82/IGMP][1 pkts/60 bytes] + 222 IGMP 224.0.0.1:0 <-> 192.168.0.254:0 [proto: 82/IGMP][1 pkts/46 bytes] + 223 IGMP 192.168.1.229:0 <-> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes] + 224 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][17 pkts/3535 bytes][client: apps.skype.com] + 225 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][12 pkts/2148 bytes][client: apps.skype.com] + 226 UDP 192.168.1.34:13021 <-> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes] + 227 TCP 192.168.1.34:51255 <-> 157.55.130.142:40005 [proto: 125/Skype][17 pkts/1322 bytes] + 228 UDP 239.255.255.250:1900 <-> 192.168.0.254:1025 [proto: 12/SSDP][36 pkts/13402 bytes] + 229 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][14 pkts/1432 bytes] + 230 UDP 192.168.1.92:5353 <-> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes][Lucas-iMac.local] + 231 UDP 192.168.1.34:13021 <-> 64.4.23.145:40027 [proto: 125/Skype][1 pkts/73 bytes] + 232 UDP 192.168.1.34:13021 <-> 64.4.23.142:40023 [proto: 125/Skype][1 pkts/72 bytes] + 233 UDP 192.168.1.34:13021 <-> 64.4.23.140:40003 [proto: 125/Skype][1 pkts/67 bytes] + 234 TCP 192.168.1.34:51308 <-> 80.121.84.93:443 [proto: 91/SSL][6 pkts/468 bytes] + 235 UDP 192.168.1.34:13021 <-> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/76 bytes] + 236 UDP 192.168.1.34:13021 <-> 64.4.23.148:40029 [proto: 125/Skype][1 pkts/79 bytes] + 237 UDP 192.168.1.34:13021 <-> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/69 bytes] + 238 UDP 192.168.1.34:13021 <-> 64.4.23.171:40031 [proto: 125/Skype][1 pkts/79 bytes] + 239 UDP 192.168.1.34:13021 <-> 64.4.23.158:40021 [proto: 125/Skype][1 pkts/76 bytes] + 240 UDP 192.168.1.34:13021 <-> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/66 bytes] + 241 UDP 192.168.1.34:13021 <-> 64.4.23.176:40001 [proto: 125/Skype][1 pkts/69 bytes] + 242 UDP 65.55.223.33:40002 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] + 243 UDP 65.55.223.32:40022 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 244 UDP 65.55.223.28:40014 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/74 bytes] + 245 UDP 65.55.223.16:40032 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/70 bytes] + 246 UDP 65.55.223.15:40030 <-> 192.168.1.34:13021 [proto: 125/Skype][1 pkts/77 bytes] + 247 UDP 192.168.1.34:13021 <-> 65.55.223.44:40020 [proto: 125/Skype][1 pkts/76 bytes] + 248 UDP 192.168.1.34:13021 <-> 65.55.223.42:40024 [proto: 125/Skype][1 pkts/76 bytes] + 249 UDP 192.168.1.34:13021 <-> 65.55.223.43:40006 [proto: 125/Skype][1 pkts/77 bytes] + 250 UDP [fe80::c62c:3ff:fe06:49fe]:5353 <-> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes] + 251 TCP 192.168.1.34:51240 <-> 111.221.74.45:443 [proto: 91.125/SSL.Skype][14 pkts/1373 bytes] + 252 TCP 111.221.74.18:443 <-> 192.168.1.34:51268 [proto: 125/Skype][14 pkts/1203 bytes] + 253 TCP 192.168.1.34:51250 <-> 111.221.77.175:443 [proto: 91.125/SSL.Skype][14 pkts/1363 bytes] + 254 TCP 192.168.1.34:51269 <-> 213.199.179.175:40029 [proto: 125/Skype][19 pkts/1491 bytes] Undetected flows: @@ -274,10 +275,9 @@ Undetected flows: 5 TCP 192.168.1.34:51315 <-> 212.161.8.36:13392 [proto: 0/Unknown][23 pkts/12290 bytes] 6 TCP 192.168.1.34:51319 <-> 212.161.8.36:13392 [proto: 0/Unknown][1 pkts/78 bytes] 7 TCP 192.168.1.34:51306 <-> 80.121.84.93:62381 [proto: 0/Unknown][6 pkts/468 bytes] - 8 TCP 192.168.1.34:51293 <-> 5.248.186.221:31010 [proto: 0/Unknown][20 pkts/3905 bytes] - 9 TCP 192.168.1.34:51292 <-> 71.238.7.203:18767 [proto: 0/Unknown][30 pkts/4904 bytes] - 10 TCP 192.168.1.34:51314 <-> 93.79.224.176:14506 [proto: 0/Unknown][20 pkts/2059 bytes] - 11 TCP 76.167.161.6:20274 <-> 192.168.1.34:51300 [proto: 0/Unknown][3 pkts/206 bytes] - 12 TCP 149.13.32.15:13392 <-> 192.168.1.34:51312 [proto: 0/Unknown][25 pkts/15642 bytes] - 13 UDP 192.168.1.1:5351 <-> 192.168.1.34:59052 [proto: 0/Unknown][4 pkts/216 bytes] - 14 TCP 192.168.1.34:51303 <-> 80.121.84.93:62381 [proto: 0/Unknown][7 pkts/546 bytes] + 8 TCP 192.168.1.34:51292 <-> 71.238.7.203:18767 [proto: 0/Unknown][30 pkts/4904 bytes] + 9 TCP 192.168.1.34:51314 <-> 93.79.224.176:14506 [proto: 0/Unknown][20 pkts/2059 bytes] + 10 TCP 76.167.161.6:20274 <-> 192.168.1.34:51300 [proto: 0/Unknown][3 pkts/206 bytes] + 11 TCP 149.13.32.15:13392 <-> 192.168.1.34:51312 [proto: 0/Unknown][25 pkts/15642 bytes] + 12 UDP 192.168.1.1:5351 <-> 192.168.1.34:59052 [proto: 0/Unknown][4 pkts/216 bytes] + 13 TCP 192.168.1.34:51303 <-> 80.121.84.93:62381 [proto: 0/Unknown][7 pkts/546 bytes] diff --git a/tests/result/viber_mobile.pcap.out b/tests/result/viber_mobile.pcap.out index 6ae99d378..51b426378 100644 --- a/tests/result/viber_mobile.pcap.out +++ b/tests/result/viber_mobile.pcap.out @@ -70,7 +70,7 @@ Amazon 8 528 1 55 TCP 192.168.200.222:37376 <-> 74.125.68.239:443 [proto: 91.126/SSL.Google][7 pkts/532 bytes] 56 TCP 52.0.253.46:443 <-> 192.168.200.222:43287 [proto: 64/SSL_No_Cert][36 pkts/5874 bytes] 57 UDP 8.8.8.8:53 <-> 192.168.200.222:52263 [proto: 5.142/DNS.WhatsApp][2 pkts/278 bytes][Host: e9.whatsapp.net] - 58 TCP 23.21.254.189:443 <-> 192.168.200.222:51146 [proto: 91/SSL][22 pkts/9241 bytes][client: e.crashlytics.com] + 58 TCP 23.21.254.189:443 <-> 192.168.200.222:51146 [proto: 91/SSL][22 pkts/9241 bytes][client: e.crashlytics.com][server: *.crashlytics.com] 59 TCP 52.0.253.46:4244 <-> 192.168.200.222:43454 [proto: 144/Viber][16 pkts/2043 bytes] 60 TCP 74.125.200.18:443 <-> 192.168.200.222:42040 [proto: 91.122/SSL.GMail][33 pkts/14532 bytes][client: mail.google.com] 61 UDP 37.214.167.82:11905 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][1 pkts/146 bytes] @@ -84,7 +84,7 @@ Amazon 8 528 1 69 UDP 192.168.200.222:39413 <-> 81.192.42.247:15057 [proto: 37/BitTorrent][1 pkts/146 bytes] 70 UDP 92.245.59.202:12998 <-> 192.168.200.222:39413 [proto: 37/BitTorrent][2 pkts/505 bytes] 71 TCP 108.160.172.205:443 <-> 192.168.200.222:51765 [proto: 91.121/SSL.Dropbox][2 pkts/163 bytes] - 72 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][26 pkts/10057 bytes][client: settings.crashlytics.com] + 72 TCP 107.22.192.179:443 <-> 192.168.200.222:52269 [proto: 91/SSL][26 pkts/10057 bytes][client: settings.crashlytics.com][server: *.crashlytics.com] Undetected flows: diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index 889f7d4f9..2bca4171c 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -61,5 +61,5 @@ Amazon 3 174 1 53 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][38 pkts/42482 bytes][server: *.webex.com] 54 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][17 pkts/8401 bytes][server: *.webex.com] 55 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][11 pkts/697 bytes] - 56 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91/SSL][30 pkts/9568 bytes][client: api.crittercism.com] + 56 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91/SSL][30 pkts/9568 bytes][client: api.crittercism.com][server: *.crittercism.com] 57 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][17 pkts/7969 bytes][server: *.webex.com] -- cgit v1.2.3 From d8b2189cc30f675fba46b072d162dc5943b1c362 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Fri, 14 Apr 2017 00:07:46 +0200 Subject: Initial wireshark integration via extcap interface --- example/ndpiReader.c | 242 ++++++++++++++++++++++++++++++++++++++++++++++++--- example/ndpi_util.c | 42 ++++----- example/ndpi_util.h | 6 +- 3 files changed, 255 insertions(+), 35 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index dda137df9..0852777c8 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -24,11 +24,11 @@ #endif #include #include +#include #ifdef WIN32 #include /* winsock.h is included automatically */ #include #include -#include #define getopt getopt____ #else #include @@ -81,6 +81,10 @@ static time_t capture_for = 0; static time_t capture_until = 0; static u_int32_t num_flows; +static pcap_dumper_t *extcap_dumper = NULL; +static char *extcap_capture_fifo = NULL; +static u_int16_t extcap_packet_filter = (u_int16_t)-1; + // struct associated to a workflow for a thread struct reader_thread { struct ndpi_workflow * workflow; @@ -104,8 +108,15 @@ typedef struct ndpi_id { u_int32_t current_ndpi_memory = 0, max_ndpi_memory = 0; -/********************** FUNCTIONS ********************* */ +void test_lib(); /* Forward */ + +/* ********************************** */ + +#ifdef DEBUG_TRACE +FILE *trace = NULL; +#endif +/********************** FUNCTIONS ********************* */ /** * @brief Set main components necessary to the detection @@ -142,6 +153,20 @@ static void help(u_int long_help) { " -h | This help\n" " -v <1|2> | Verbose 'unknown protocol' packet print. 1=verbose, 2=very verbose\n"); + #ifndef WIN32 + printf("\nExcap (wireshark) options:\n" + " --extcap-interfaces\n" + " --extcap-version\n" + " --extcap-dlts\n" + " --extcap-interface \n" + " --extcap-config\n" + " --capture\n" + " --extcap-capture-filter\n" + " --fifo \n" + " --debug\n" + ); + #endif + if(long_help) { printf("\n\nSupported protocols:\n"); num_threads = 1; @@ -152,28 +177,153 @@ static void help(u_int long_help) { } +static struct option longopts[] = { + /* mandatory extcap options */ + { "extcap-interfaces", no_argument, NULL, '0'}, + { "extcap-version", optional_argument, NULL, '1'}, + { "extcap-dlts", no_argument, NULL, '2'}, + { "extcap-interface", required_argument, NULL, '3'}, + { "extcap-config", no_argument, NULL, '4'}, + { "capture", no_argument, NULL, '5'}, + { "extcap-capture-filter", required_argument, NULL, '6'}, + { "fifo", required_argument, NULL, '7'}, + { "debug", optional_argument, NULL, '8'}, + { "ndpi-proto-filter", required_argument, NULL, '9'}, + + /* ndpiReader options */ + { "enable-protocol-guess", no_argument, NULL, 'd'}, + { "interface", required_argument, NULL, 'i'}, + { "filter", required_argument, NULL, 'f'}, + { "cpu-bind", required_argument, NULL, 'g'}, + { "loops", required_argument, NULL, 'l'}, + { "num-threads", required_argument, NULL, 'n'}, + + { "protos", required_argument, NULL, 'p'}, + { "capture-duration", required_argument, NULL, 's'}, + { "decode-tunnels", no_argument, NULL, 't'}, + { "revision", no_argument, NULL, 'r'}, + { "verbose", no_argument, NULL, 'v'}, + { "version", no_argument, NULL, 'V'}, + { "help", no_argument, NULL, 'h'}, + { "json", required_argument, NULL, 'j'}, + { "result-path", required_argument, NULL, 'w'}, + { "quiet", no_argument, NULL, 'q'}, + + {0, 0, 0, 0} +}; + +/* ********************************** */ + +void extcap_interfaces() { + printf("extcap {version=%s}\n", ndpi_revision()); + printf("interface {value=ndpi}{display=nDPI interface}\n"); + exit(0); +} + +/* ********************************** */ + +void extcap_dlts() { + u_int dlts_number = DLT_EN10MB; + printf("dlt {number=%u}{name=%s}{display=%s}\n", dlts_number, "ndpi", "nDPI interface"); + exit(0); +} + +/* ********************************** */ + +void extcap_config() { + int i, argidx = 0; + struct ndpi_detection_module_struct *ndpi_mod; + +#if 1 + printf("arg {number=%u}{call=-i}{display=Capture Interface Name}{type=string}" + "{tooltip=The interface name}\n", argidx++); +#else + + printf("arg {number=%u}{call=-i}{display=Pcap File to Analize}{type=fileselect}" + "{tooltip=The pcap file to analyze (if the interface is unspecified)}\n", argidx++); +#endif + + printf("arg {number=%u}{call=-9}{display=nDPI Protocol}{type=selector}" + "{tooltip=nDPI Protocol to be filtered}\n", argidx); + + setupDetection(0, NULL); + ndpi_mod = ndpi_thread_info[0].workflow->ndpi_struct; + + printf("value {arg=%d}{value=%d}{display=%s}\n", argidx, -1, "All Protocols (no nDPI filtering)"); + + for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) + printf("value {arg=%d}{value=%d}{display=%s (%u)}\n", argidx, i, + ndpi_mod->proto_defaults[i].protoName, i); + + exit(0); +} + +/* ********************************** */ + +void extcap_capture() { +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, " #### %s #### \n", __FUNCTION__); +#endif + + if((extcap_dumper = pcap_dump_open(pcap_open_dead(DLT_EN10MB, 16384 /* MTU */), + extcap_capture_fifo)) == NULL) { + fprintf(stderr, "Unable to open the pcap dumper on %s", extcap_capture_fifo); + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Unable to open the pcap dumper on %s\n", + extcap_capture_fifo); +#endif + return; + } + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Starting packet capture [%p]\n", extcap_dumper); +#endif + + test_lib(); + pcap_dump_close(extcap_dumper); + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "End of packet capture [%p]\n", extcap_dumper); +#endif +} + +/* ********************************** */ + /** * @brief Option parser */ static void parseOptions(int argc, char **argv) { - + int option_idx = 0, do_capture = 0; char *__pcap_file = NULL, *bind_mask = NULL; int thread_id, opt; #ifdef linux u_int num_cores = sysconf(_SC_NPROCESSORS_ONLN); #endif - while ((opt = getopt(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q")) != EOF) { +#ifdef DEBUG_TRACE + trace = fopen("/tmp/ndpiReader.log", "a"); + + if(trace) fprintf(trace, " #### %s #### \n", __FUNCTION__); +#endif + + while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:", longopts, &option_idx)) != EOF) { +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); +#endif + switch (opt) { case 'd': enable_protocol_guess = 0; break; case 'i': + case '3': _pcap_file[0] = optarg; break; case 'f': + case '6': _bpf_filter = optarg; break; @@ -240,12 +390,47 @@ static void parseOptions(int argc, char **argv) { quiet_mode = 1; break; + /* Extcap */ + case '0': + extcap_interfaces(); + break; + + case '1': + printf("extcap {version=%s}\n", ndpi_revision()); + break; + + case '2': + extcap_dlts(); + break; + + case '4': + extcap_config(); + break; + + case '5': + do_capture = 1; + break; + + case '7': + extcap_capture_fifo = strdup(optarg); + break; + + case '8': + nDPI_traceLevel = 9; + break; + + case '9': + extcap_packet_filter = atoi(optarg); + break; + default: help(0); break; } } + if(do_capture) extcap_capture(); + // check parameters if(_pcap_file[0] == NULL || strcmp(_pcap_file[0], "") == 0) { help(0); @@ -277,6 +462,10 @@ static void parseOptions(int argc, char **argv) { } } #endif + +#ifdef DEBUG_TRACE + if(trace) fclose(trace); +#endif } @@ -370,7 +559,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { ntohs(flow->upper_port)); if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); - + if(flow->detected_protocol.master_protocol) { char buf[64]; @@ -388,7 +577,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); - + if(flow->ssh_ssl.client_info[0] != '\0') fprintf(out, "[client: %s]", flow->ssh_ssl.client_info); if(flow->ssh_ssl.server_info[0] != '\0') fprintf(out, "[server: %s]", flow->ssh_ssl.server_info); if(flow->bittorent_hash[0] != '\0') fprintf(out, "[BT Hash: %s]", flow->bittorent_hash); @@ -1138,13 +1327,14 @@ static pcap_t * openPcapFileOrDevice(u_int16_t thread_id, const u_char * pcap_fi static void pcap_packet_callback_checked(u_char *args, const struct pcap_pkthdr *header, const u_char *packet) { - + struct ndpi_proto p; u_int16_t thread_id = *((u_int16_t*)args); /* allocate an exact size buffer to check overflows */ uint8_t *packet_checked = malloc(header->caplen); + memcpy(packet_checked, packet, header->caplen); - ndpi_workflow_process_packet(ndpi_thread_info[thread_id].workflow, header, packet_checked); + p = ndpi_workflow_process_packet(ndpi_thread_info[thread_id].workflow, header, packet_checked); if((capture_until != 0) && (header->ts.tv_sec >= capture_until)) { if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) @@ -1182,6 +1372,25 @@ static void pcap_packet_callback_checked(u_char *args, } } +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Found %u bytes packet %u.%u\n", header->caplen, p.app_protocol, p.master_protocol); +#endif + + if(extcap_dumper + && ((extcap_packet_filter == (u_int16_t)-1) + || (p.app_protocol == extcap_packet_filter) + || (p.master_protocol == extcap_packet_filter) + ) + ) { + struct pcap_pkthdr *h = (struct pcap_pkthdr*)header; + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Dumping %u bytes packet\n", header->caplen); +#endif + // h->caplen += 8, h->len += 8; + pcap_dump((u_char*)extcap_dumper, h, packet); + } + /* check for buffer changes */ if(memcmp(packet, packet_checked, header->caplen) != 0) printf("INTERNAL ERROR: ingress packet was modified by nDPI: this should not happen [thread_id=%u, packetId=%lu]\n", @@ -1244,7 +1453,6 @@ void * processing_thread(void *_thread_id) { * @brief Begin, process, end detection process */ void test_lib() { - struct timeval begin, end; u_int64_t tot_usec; long thread_id; @@ -1253,8 +1461,18 @@ void test_lib() { json_init(); #endif +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Num threads: %d\n", num_threads); +#endif + for(thread_id = 0; thread_id < num_threads; thread_id++) { - pcap_t * cap = openPcapFileOrDevice(thread_id, (const u_char*)_pcap_file[thread_id]); + pcap_t *cap; + +#ifdef DEBUG_TRACE + if(trace) fprintf(trace, "Opening %s\n", (const u_char*)_pcap_file[thread_id]); +#endif + + cap = openPcapFileOrDevice(thread_id, (const u_char*)_pcap_file[thread_id]); setupDetection(thread_id, cap); } @@ -1275,9 +1493,9 @@ void test_lib() { printResults(tot_usec); for(thread_id = 0; thread_id < num_threads; thread_id++) { - if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) { + if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) pcap_close(ndpi_thread_info[thread_id].workflow->pcap_handle); - } + terminateDetection(thread_id); } } diff --git a/example/ndpi_util.c b/example/ndpi_util.c index d2f002270..60dc94230 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -502,13 +502,13 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl @Note: ipsize = header->len - ip_offset ; rawsize = header->len */ -static unsigned int packet_processing(struct ndpi_workflow * workflow, - const u_int64_t time, - u_int16_t vlan_id, - const struct ndpi_iphdr *iph, - struct ndpi_ipv6hdr *iph6, - u_int16_t ip_offset, - u_int16_t ipsize, u_int16_t rawsize) { +static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, + const u_int64_t time, + u_int16_t vlan_id, + const struct ndpi_iphdr *iph, + struct ndpi_ipv6hdr *iph6, + u_int16_t ip_offset, + u_int16_t ipsize, u_int16_t rawsize) { struct ndpi_id_struct *src, *dst; struct ndpi_flow_info *flow = NULL; struct ndpi_flow_struct *ndpi_flow = NULL; @@ -540,11 +540,11 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, flow->packets++, flow->bytes += rawsize; flow->last_seen = time; } else { - return(0); + return(flow->detected_protocol); } /* Protocol already detected */ - if(flow->detection_completed) return(0); + if(flow->detection_completed) return(flow->detected_protocol); flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, @@ -565,14 +565,14 @@ static unsigned int packet_processing(struct ndpi_workflow * workflow, } process_ndpi_collected_info(workflow, flow); - return 0; + return(flow->detected_protocol); } /* ****************************************************** */ -void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, - const struct pcap_pkthdr *header, - const u_char *packet) { +struct ndpi_proto ndpi_workflow_process_packet (struct ndpi_workflow * workflow, + const struct pcap_pkthdr *header, + const u_char *packet) { /* * Declare pointers to packet headers */ @@ -597,6 +597,8 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, /** --- IPv6 header --- **/ struct ndpi_ipv6hdr *iph6; + struct ndpi_proto nproto = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; + /* lengths and offsets */ u_int16_t eth_offset = 0; u_int16_t radio_len; @@ -691,7 +693,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, /* Check Bad FCS presence */ if((radiotap->flags & BAD_FCS) == BAD_FCS) { workflow->stats.total_discarded_bytes += header->len; - return; + return(nproto); } /* Calculate 802.11 header length (variable) */ @@ -721,7 +723,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, default: /* printf("Unknown datalink %d\n", datalink_type); */ - return; + return(nproto); } /* check ether type */ @@ -802,7 +804,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, } workflow->stats.total_discarded_bytes += header->len; - return; + return(nproto); } } else if(iph->version == 6) { iph6 = (struct ndpi_ipv6hdr *)&packet[ip_offset]; @@ -827,7 +829,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, ipv4_warning_used = 1; } workflow->stats.total_discarded_bytes += header->len; - return; + return(nproto); } if(workflow->prefs.decode_tunnels && (proto == IPPROTO_UDP)) { @@ -886,7 +888,7 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, offset += tag_len; if(offset >= header->caplen) - return; /* Invalid packet */ + return(nproto); /* Invalid packet */ else { eth_offset = offset; goto datalink_check; @@ -897,6 +899,6 @@ void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, } /* process the packet */ - packet_processing(workflow, time, vlan_id, iph, iph6, - ip_offset, header->len - ip_offset, header->len); + return(packet_processing(workflow, time, vlan_id, iph, iph6, + ip_offset, header->len - ip_offset, header->len)); } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 1c092cbfa..4895cdcb1 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -138,9 +138,9 @@ void ndpi_free_flow_info_half(struct ndpi_flow_info *flow); /* Process a packet and update the workflow */ -void ndpi_workflow_process_packet (struct ndpi_workflow * workflow, - const struct pcap_pkthdr *header, - const u_char *packet); +struct ndpi_proto ndpi_workflow_process_packet(struct ndpi_workflow * workflow, + const struct pcap_pkthdr *header, + const u_char *packet); /* flow callbacks for complete detected flow -- cgit v1.2.3 From 4c5de9ef8e9e14289ce9024349390fe06b59c769 Mon Sep 17 00:00:00 2001 From: Luca Date: Mon, 17 Apr 2017 09:38:30 +0200 Subject: Added ethernet checksum reforging and nDPI protocol export in nDPI-extcap reader --- example/ndpiReader.c | 26 +++++++++++++++++++++----- example/ndpi_util.c | 40 ++++++++++++++++++++++++++++++++++++++++ example/ndpi_util.h | 2 +- 3 files changed, 62 insertions(+), 6 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b32650871..9eab4500f 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -81,7 +81,13 @@ static time_t capture_for = 0; static time_t capture_until = 0; static u_int32_t num_flows; +struct ndpi_packet_trailer { + u_int32_t magic; /* 0x19682017 */ + u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; +}; + static pcap_dumper_t *extcap_dumper = NULL; +static char extcap_buf[2048]; static char *extcap_capture_fifo = NULL; static u_int16_t extcap_packet_filter = (u_int16_t)-1; @@ -422,7 +428,7 @@ static void parseOptions(int argc, char **argv) { case '9': extcap_packet_filter = atoi(optarg); break; - + default: help(0); break; @@ -1383,12 +1389,22 @@ static void pcap_packet_callback_checked(u_char *args, ) ) { struct pcap_pkthdr *h = (struct pcap_pkthdr*)header; - + uint32_t *crc, delta = sizeof(struct ndpi_packet_trailer) + 4 /* ethernet trailer */; + struct ndpi_packet_trailer *trailer = (struct ndpi_packet_trailer*)&extcap_buf[h->caplen]; + + memcpy(extcap_buf, packet, h->caplen); + trailer->magic = 0x19682017; + trailer->master_protocol = p.master_protocol, trailer->app_protocol = p.app_protocol; + crc = (uint32_t*)&extcap_buf[h->caplen+sizeof(struct ndpi_packet_trailer)]; + *crc = 0; + ethernet_crc32((const void*)extcap_buf, h->caplen+sizeof(struct ndpi_packet_trailer), crc); + h->caplen += delta, h->len += delta; + #ifdef DEBUG_TRACE if(trace) fprintf(trace, "Dumping %u bytes packet\n", header->caplen); #endif - // h->caplen += 8, h->len += 8; - pcap_dump((u_char*)extcap_dumper, h, packet); + + pcap_dump((u_char*)extcap_dumper, h, (const u_char *)extcap_buf); } /* check for buffer changes */ @@ -1503,7 +1519,7 @@ void test_lib() { exit(-1); } } - + gettimeofday(&end, NULL); tot_usec = end.tv_sec*1000000 + end.tv_usec - (begin.tv_sec*1000000 + begin.tv_usec); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 8fe80111a..cd3c8a1e3 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -909,3 +909,43 @@ struct ndpi_proto ndpi_workflow_process_packet (struct ndpi_workflow * workflow, return(packet_processing(workflow, time, vlan_id, iph, iph6, ip_offset, header->len - ip_offset, header->len)); } + +/* ********************************************************** */ +/* http://home.thep.lu.se/~bjorn/crc/crc32_fast.c */ +/* ********************************************************** */ + +static uint32_t crc32_for_byte(uint32_t r) { + for(int j = 0; j < 8; ++j) + r = (r & 1? 0: (uint32_t)0xEDB88320L) ^ r >> 1; + return r ^ (uint32_t)0xFF000000L; +} + +/* Any unsigned integer type with at least 32 bits may be used as + * accumulator type for fast crc32-calulation, but unsigned long is + * probably the optimal choice for most systems. */ +typedef unsigned long accum_t; + +static void init_tables(uint32_t* table, uint32_t* wtable) { + for(size_t i = 0; i < 0x100; ++i) + table[i] = crc32_for_byte(i); + for(size_t k = 0; k < sizeof(accum_t); ++k) + for(size_t w, i = 0; i < 0x100; ++i) { + for(size_t j = w = 0; j < sizeof(accum_t); ++j) + w = table[(uint8_t)(j == k? w ^ i: w)] ^ w >> 8; + wtable[(k << 8) + i] = w ^ (k? wtable[0]: 0); + } +} + +void ethernet_crc32(const void* data, size_t n_bytes, uint32_t* crc) { + static uint32_t table[0x100], wtable[0x100*sizeof(accum_t)]; + size_t n_accum = n_bytes/sizeof(accum_t); + if(!*table) + init_tables(table, wtable); + for(size_t i = 0; i < n_accum; ++i) { + accum_t a = *crc ^ ((accum_t*)data)[i]; + for(size_t j = *crc = 0; j < sizeof(accum_t); ++j) + *crc ^= wtable[(j << 8) + (uint8_t)(a >> 8*j)]; + } + for(size_t i = n_accum*sizeof(accum_t); i < n_bytes; ++i) + *crc = table[(uint8_t)*crc ^ ((uint8_t*)data)[i]] ^ *crc >> 8; +} diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 4895cdcb1..a8e21d673 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -160,5 +160,5 @@ static inline void ndpi_workflow_set_flow_giveup_callback(struct ndpi_workflow * /* compare two nodes in workflow */ int ndpi_workflow_node_cmp(const void *a, const void *b); void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); - +void ethernet_crc32(const void* data, size_t n_bytes, uint32_t* crc); #endif -- cgit v1.2.3 From a9c01ded174ed380a2d135cfb9b903f616b0e175 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 19 Apr 2017 21:55:49 +0200 Subject: ndpiReader now prints (-v) the flows with the correct direction --- example/ndpiReader.c | 28 +++++++++++++++++----------- example/ndpi_util.c | 22 ++++++++++------------ example/ndpi_util.h | 2 +- 3 files changed, 28 insertions(+), 24 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index b0b21b2b3..ca06e98b8 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -553,17 +553,23 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { if(!json_flag) { fprintf(out, "\t%u", ++num_flows); - fprintf(out, "\t%s %s%s%s:%u <-> %s%s%s:%u ", - ipProto2Name(flow->protocol), - (flow->ip_version == 6) ? "[" : "", - flow->lower_name, - (flow->ip_version == 6) ? "]" : "", - ntohs(flow->lower_port), - (flow->ip_version == 6) ? "[" : "", - flow->upper_name, - (flow->ip_version == 6) ? "]" : "", - ntohs(flow->upper_port)); - + fprintf(out, "\t%s ", ipProto2Name(flow->protocol)); + + if(flow->src_to_dst_direction == 1) + fprintf(out, "%s%s%s:%u <-> %s%s%s:%u ", + (flow->ip_version == 6) ? "[" : "", + flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port), + (flow->ip_version == 6) ? "[" : "", + flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port) + ); + else + fprintf(out, "%s%s%s:%u <-> %s%s%s:%u ", + (flow->ip_version == 6) ? "[" : "", + flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port), + (flow->ip_version == 6) ? "[" : "", + flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port) + ); + if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); if(flow->detected_protocol.master_protocol) { diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 783f05c86..445ade1ac 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -260,9 +260,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow if(iph->protocol == IPPROTO_TCP && l4_packet_len >= 20) { u_int tcp_len; + // tcp workflow->stats.tcp_count++; - - // tcp *tcph = (struct ndpi_tcphdr *)l4; *sport = ntohs((*tcph)->source), *dport = ntohs((*tcph)->dest); @@ -287,12 +286,10 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow tcp_len = ndpi_min(4*(*tcph)->doff, l4_packet_len); *payload = &l4[tcp_len]; *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); - - // udp } else if(iph->protocol == IPPROTO_UDP && l4_packet_len >= 8) { + // udp workflow->stats.udp_count++; - *udph = (struct ndpi_udphdr *)l4; *sport = ntohs((*udph)->source), *dport = ntohs((*udph)->dest); *payload = &l4[sizeof(struct ndpi_udphdr)]; @@ -335,7 +332,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow if(ret == NULL) { if(workflow->stats.ndpi_flow_count == workflow->prefs.max_ndpi_flows) { - NDPI_LOG(0, workflow->ndpi_struct, NDPI_LOG_ERROR, "maximum flow count (%u) has been exceeded\n", workflow->prefs.max_ndpi_flows); + NDPI_LOG(0, workflow->ndpi_struct, NDPI_LOG_ERROR, + "maximum flow count (%u) has been exceeded\n", + workflow->prefs.max_ndpi_flows); exit(-1); } else { struct ndpi_flow_info *newflow = (struct ndpi_flow_info*)malloc(sizeof(struct ndpi_flow_info)); @@ -350,7 +349,8 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow newflow->lower_ip = lower_ip, newflow->upper_ip = upper_ip; newflow->lower_port = lower_port, newflow->upper_port = upper_port; newflow->ip_version = version; - + newflow->src_to_dst_direction = *src_to_dst_direction; + if(version == IPVERSION) { inet_ntop(AF_INET, &lower_ip, newflow->lower_name, sizeof(newflow->lower_name)); inet_ntop(AF_INET, &upper_ip, newflow->upper_name, sizeof(newflow->upper_name)); @@ -520,7 +520,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, struct ndpi_udphdr *udph = NULL; u_int16_t sport, dport, payload_len; u_int8_t *payload; - u_int8_t src_to_dst_direction= 1; + u_int8_t src_to_dst_direction = 1; if(iph) flow = get_ndpi_flow_info(workflow, IPVERSION, vlan_id, iph, NULL, @@ -542,9 +542,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ndpi_flow = flow->ndpi_flow; flow->packets++, flow->bytes += rawsize; flow->last_seen = time; - } else { + } else return(flow->detected_protocol); - } /* Protocol already detected */ if(flow->detection_completed) return(flow->detected_protocol); @@ -556,8 +555,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, if((flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) || ((proto == IPPROTO_UDP) && (flow->packets > 8)) || ((proto == IPPROTO_TCP) && (flow->packets > 10))) { - /* New protocol detected or give up */ - + /* New protocol detected or give up */ flow->detection_completed = 1; } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index a8e21d673..335c94ddf 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -46,7 +46,7 @@ typedef struct ndpi_flow_info { u_int32_t upper_ip; u_int16_t lower_port; u_int16_t upper_port; - u_int8_t detection_completed, protocol; + u_int8_t detection_completed, protocol, src_to_dst_direction; u_int16_t vlan_id; struct ndpi_flow_struct *ndpi_flow; char lower_name[48], upper_name[48]; -- cgit v1.2.3 From 064b50df819918734062294984e529bd62bd594c Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Sun, 30 Apr 2017 10:12:28 +0200 Subject: Added -m for splitting analysis in sub-analysis steps --- example/ndpiReader.c | 102 ++++++++++++++++++++++++++++++++------------------- example/ndpi_util.c | 2 +- example/ndpi_util.h | 1 + 3 files changed, 67 insertions(+), 38 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 1f982b60b..59ca8b3a1 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -69,10 +69,12 @@ static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; /** User preferences **/ static u_int8_t enable_protocol_guess = 1, verbose = 0, nDPI_traceLevel = 0, json_flag = 0; +static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; static u_int8_t shutdown_app = 0, quiet_mode = 0; static u_int8_t num_threads = 1; +static struct timeval begin, end; #ifdef linux static int core_affinity[MAX_NUM_READER_THREADS]; #endif @@ -146,13 +148,14 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle); static void help(u_int long_help) { printf("Welcome to nDPI %s\n\n", ndpi_revision()); - printf("ndpiReader -i [-f ][-s ]\n" + printf("ndpiReader -i [-f ][-s ][-m ]\n" " [-p ][-l [-q][-d][-h][-t][-v ]\n" " [-n ] [-w ] [-j ]\n\n" "Usage:\n" " -i | Specify a pcap file/playlist to read packets from or a device for live capture (comma-separated list)\n" " -f | Specify a BPF filter for filtering selected traffic\n" " -s | Maximum capture duration in seconds (live traffic capture only)\n" + " -m | Split analysis duration in max seconds\n" " -p .protos | Specify a protocol file (eg. protos.txt)\n" " -l | Number of detection loops (test only)\n" " -n | Number of threads. Default: number of interfaces in -i. Ignored with pcap files.\n" @@ -262,7 +265,7 @@ void extcap_config() { int i, argidx = 0; struct ndpi_detection_module_struct *ndpi_mod; struct ndpi_proto_sorter *protos; - + /* -i */ printf("arg {number=%u}{call=-i}{display=Capture Interface or Pcap File Path}{type=string}" "{tooltip=The interface name}\n", argidx++); @@ -271,12 +274,12 @@ void extcap_config() { printf("arg {number=%u}{call=-i}{display=Pcap File to Analize}{type=fileselect}" "{tooltip=The pcap file to analyze (if the interface is unspecified)}\n", argidx++); #endif - + setupDetection(0, NULL); ndpi_mod = ndpi_thread_info[0].workflow->ndpi_struct; - + protos = (struct ndpi_proto_sorter*)malloc(sizeof(struct ndpi_proto_sorter)*ndpi_mod->ndpi_num_supported_protocols); - if(!protos) exit(0); + if(!protos) exit(0); for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) { protos[i].id = i; @@ -284,18 +287,18 @@ void extcap_config() { } qsort(protos, ndpi_mod->ndpi_num_supported_protocols, sizeof(struct ndpi_proto_sorter), cmpProto); - + printf("arg {number=%u}{call=-9}{display=nDPI Protocol Filter}{type=selector}" "{tooltip=nDPI Protocol to be filtered}\n", argidx); printf("value {arg=%d}{value=%d}{display=%s}\n", argidx, -1, "All Protocols (no nDPI filtering)"); - + for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) printf("value {arg=%d}{value=%d}{display=%s (%u)}\n", argidx, protos[i].id, protos[i].name, protos[i].id); free(protos); - + exit(0); } @@ -341,7 +344,7 @@ static void parseOptions(int argc, char **argv) { if(trace) fprintf(trace, " #### %s #### \n", __FUNCTION__); #endif - while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:", longopts, &option_idx)) != EOF) { + while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:m:", longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); #endif @@ -356,6 +359,10 @@ static void parseOptions(int argc, char **argv) { _pcap_file[0] = optarg; break; + case 'm': + pcap_analysis_duration = atol(optarg); + break; + case 'f': case '6': _bpf_filter = optarg; @@ -580,7 +587,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { if((verbose != 1) && (verbose != 2)) return; - + if(!json_flag) { fprintf(out, "\t%u", ++num_flows); @@ -937,7 +944,6 @@ static void setupDetection(u_int16_t thread_id, pcap_t * pcap_handle) { * @brief End of detection and free flow */ static void terminateDetection(u_int16_t thread_id) { - ndpi_workflow_free(ndpi_thread_info[thread_id].workflow); } @@ -1047,12 +1053,12 @@ static int port_stats_sort(void *_a, void *_b) { void printPortStats(struct port_stats *stats) { struct port_stats *s, *tmp; int i = 0; - + HASH_ITER(hh, stats, s, tmp) { i++; printf("\t%2d\tPort %5u\t[%u pkts/%u bytes]\n", i, s->port, s->num_pkts, s->num_bytes); if(i >= 10) break; - } + } } /* *********************************************** */ @@ -1061,7 +1067,6 @@ void printPortStats(struct port_stats *stats) { * @brief Print result */ static void printResults(u_int64_t tot_usec) { - u_int32_t i; u_int64_t total_flow_bytes = 0; u_int32_t avg_pkt_size = 0; @@ -1073,10 +1078,10 @@ static void printResults(u_int64_t tot_usec) { json_object *jObj_main = NULL, *jObj_trafficStats, *jArray_detProto = NULL, *jObj; #endif long long unsigned int breed_stats[NUM_BREEDS] = { 0 }; - + memset(&cumulative_stats, 0, sizeof(cumulative_stats)); - for(thread_id = 0; thread_id < num_threads; thread_id++) { + for(thread_id = 0; thread_id < num_threads; thread_id++) { if((ndpi_thread_info[thread_id].workflow->stats.total_wire_bytes == 0) && (ndpi_thread_info[thread_id].workflow->stats.raw_packet_count == 0)) continue; @@ -1090,7 +1095,7 @@ static void printResults(u_int64_t tot_usec) { HASH_SORT(srcStats, port_stats_sort); HASH_SORT(dstStats, port_stats_sort); } - + /* Stats aggregation */ cumulative_stats.guessed_flow_protocols += ndpi_thread_info[thread_id].workflow->stats.guessed_flow_protocols; cumulative_stats.raw_packet_count += ndpi_thread_info[thread_id].workflow->stats.raw_packet_count; @@ -1117,6 +1122,8 @@ static void printResults(u_int64_t tot_usec) { cumulative_stats.max_packet_len += ndpi_thread_info[thread_id].workflow->stats.max_packet_len; } + if(cumulative_stats.total_wire_bytes == 0) return; + if(!quiet_mode) { printf("\nnDPI Memory statistics:\n"); printf("\tnDPI Memory (once): %-13s\n", formatBytes(sizeof(struct ndpi_detection_module_struct), buf, sizeof(buf))); @@ -1155,7 +1162,7 @@ static void printResults(u_int64_t tot_usec) { printf("\tPacket Len > 1500: %-13lu\n", (unsigned long)cumulative_stats.packet_len[5]); if(tot_usec > 0) { - char buf[32], buf1[32]; + char buf[32], buf1[32], when[64]; float t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)tot_usec; float b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)tot_usec; float traffic_duration; @@ -1164,6 +1171,11 @@ static void printResults(u_int64_t tot_usec) { printf("\tnDPI throughput: %s pps / %s/sec\n", formatPackets(t, buf), formatTraffic(b, 1, buf1)); t = (float)(cumulative_stats.ip_packet_count*1000000)/(float)traffic_duration; b = (float)(cumulative_stats.total_wire_bytes * 8 *1000000)/(float)traffic_duration; + + strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime(&pcap_start.tv_sec)); + printf("\tAnalysis begin: %s\n", when); + strftime(when, sizeof(when), "%d/%b/%Y %H:%M:%S", localtime(&pcap_end.tv_sec)); + printf("\tAnalysis end: %s\n", when); printf("\tTraffic throughput: %s pps / %s/sec\n", formatPackets(t, buf), formatTraffic(b, 1, buf1)); printf("\tTraffic duration: %.3f sec\n", traffic_duration/1000000); } @@ -1315,11 +1327,12 @@ static void printResults(u_int64_t tot_usec) { if(verbose == 3) { printf("\n\nSource Ports Stats:\n"); printPortStats(srcStats); - + printf("\nDestination Ports Stats:\n"); printPortStats(dstStats); - + deletePortsStats(srcStats), deletePortsStats(dstStats); + srcStats = NULL, dstStats = NULL; } } @@ -1328,14 +1341,11 @@ static void printResults(u_int64_t tot_usec) { * @brief Force a pcap_dispatch() or pcap_loop() call to return */ static void breakPcapLoop(u_int16_t thread_id) { - if(ndpi_thread_info[thread_id].workflow->pcap_handle != NULL) { pcap_breakloop(ndpi_thread_info[thread_id].workflow->pcap_handle); } } - - /** * @brief Sigproc is executed for each packet in the pcap file */ @@ -1453,9 +1463,9 @@ static pcap_t * openPcapFileOrDevice(u_int16_t thread_id, const u_char * pcap_fi /** * @brief Check pcap packet */ -static void pcap_packet_callback_checked(u_char *args, - const struct pcap_pkthdr *header, - const u_char *packet) { +static void pcap_process_packet(u_char *args, + const struct pcap_pkthdr *header, + const u_char *packet) { struct ndpi_proto p; u_int16_t thread_id = *((u_int16_t*)args); @@ -1516,13 +1526,13 @@ static void pcap_packet_callback_checked(u_char *args, struct ndpi_packet_trailer *trailer; memcpy(&h, header, sizeof(h)); - + if(h.caplen > (sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4)) { printf("INTERNAL ERROR: caplen=%u\n", h.caplen); - h.caplen = sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4; + h.caplen = sizeof(extcap_buf)-sizeof(struct ndpi_packet_trailer) - 4; } - trailer = (struct ndpi_packet_trailer*)&extcap_buf[h.caplen]; + trailer = (struct ndpi_packet_trailer*)&extcap_buf[h.caplen]; memcpy(extcap_buf, packet, h.caplen); memset(trailer, 0, sizeof(struct ndpi_packet_trailer)); trailer->magic = htonl(0x19680924); @@ -1546,6 +1556,28 @@ static void pcap_packet_callback_checked(u_char *args, printf("INTERNAL ERROR: ingress packet was modified by nDPI: this should not happen [thread_id=%u, packetId=%lu, caplen=%u]\n", thread_id, (unsigned long)ndpi_thread_info[thread_id].workflow->stats.raw_packet_count, header->caplen); free(packet_checked); + + if((pcap_end.tv_sec-pcap_start.tv_sec) > pcap_analysis_duration) { + int i; + u_int64_t tot_usec; + + gettimeofday(&end, NULL); + tot_usec = end.tv_sec*1000000 + end.tv_usec - (begin.tv_sec*1000000 + begin.tv_usec); + + printResults(tot_usec); + + for(i=0; iprefs.num_roots; i++) { + ndpi_tdestroy(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], ndpi_flow_info_freer); + ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i] = NULL; + + memset(&ndpi_thread_info[thread_id].workflow->stats, 0, sizeof(struct ndpi_stats)); + } + + printf("\n-------------------------------------------\n\n"); + + memcpy(&begin, &end, sizeof(begin)); + memcpy(&pcap_start, &pcap_end, sizeof(pcap_start)); + } } @@ -1553,12 +1585,10 @@ static void pcap_packet_callback_checked(u_char *args, * @brief Call pcap_loop() to process packets from a live capture or savefile */ static void runPcapLoop(u_int16_t thread_id) { - if((!shutdown_app) && (ndpi_thread_info[thread_id].workflow->pcap_handle != NULL)) - pcap_loop(ndpi_thread_info[thread_id].workflow->pcap_handle, -1, &pcap_packet_callback_checked, (u_char*)&thread_id); + pcap_loop(ndpi_thread_info[thread_id].workflow->pcap_handle, -1, &pcap_process_packet, (u_char*)&thread_id); } - /** * @brief Process a running thread */ @@ -1583,7 +1613,7 @@ void * processing_thread(void *_thread_id) { if((!json_flag) && (!quiet_mode)) printf("Running thread %ld...\n", thread_id); pcap_loop: - runPcapLoop(thread_id); + runPcapLoop(thread_id); if(playlist_fp[thread_id] != NULL) { /* playlist: read next file */ char filename[256]; @@ -1603,7 +1633,7 @@ void * processing_thread(void *_thread_id) { * @brief Begin, process, end detection process */ void test_lib() { - struct timeval begin, end; + struct timeval end; u_int64_t tot_usec; long thread_id; @@ -1690,8 +1720,6 @@ int main(int argc, char **argv) { automataUnitTest(); memset(ndpi_thread_info, 0, sizeof(ndpi_thread_info)); - memset(&pcap_start, 0, sizeof(pcap_start)); - memset(&pcap_end, 0, sizeof(pcap_end)); parseOptions(argc, argv); @@ -1714,7 +1742,7 @@ int main(int argc, char **argv) { if(results_path) free(results_path); if(results_file) fclose(results_file); if(extcap_dumper) pcap_dump_close(extcap_dumper); - + return 0; } diff --git a/example/ndpi_util.c b/example/ndpi_util.c index eb6744ccc..1ba77eb80 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -129,7 +129,7 @@ struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * pre /* ***************************************************** */ -static void ndpi_flow_info_freer(void *node) { +void ndpi_flow_info_freer(void *node) { struct ndpi_flow_info *flow = (struct ndpi_flow_info*)node; ndpi_free_flow_info_half(flow); diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 335c94ddf..9d8f1e446 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -161,4 +161,5 @@ static inline void ndpi_workflow_set_flow_giveup_callback(struct ndpi_workflow * int ndpi_workflow_node_cmp(const void *a, const void *b); void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); void ethernet_crc32(const void* data, size_t n_bytes, uint32_t* crc); +void ndpi_flow_info_freer(void *node); #endif -- cgit v1.2.3 From 4030b52ecb5c7a98eeb3eadc362eab60521fb565 Mon Sep 17 00:00:00 2001 From: berat Date: Mon, 1 May 2017 14:07:41 +0200 Subject: Added IP Statistics to Port Stats --- example/ndpiReader.c | 179 ++++++++++++++++++++++++++++++++++++++++++++++++--- example/ndpi_util.h | 3 +- 2 files changed, 172 insertions(+), 10 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 59ca8b3a1..63e33d783 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -84,9 +84,24 @@ static time_t capture_for = 0; static time_t capture_until = 0; static u_int32_t num_flows; +struct info_pair{ + u_int32_t addr; + int count; +}; + +typedef struct node_a{ + u_int32_t addr; + int count; + struct node_a *left, *right; +}addr_node; + struct port_stats { u_int32_t port; /* we'll use this field as the key */ u_int32_t num_pkts, num_bytes; + u_int32_t num_addr; /*to hold number of distinct IP addresses*/ + u_int32_t cumulative_addr; /*to hold cumulative some of IP addresses*/ + addr_node *addr_tree; /* to hold distinct IP addresses*/ + struct info_pair top_ip_addrs[MAX_NUM_IP_ADDRESS]; UT_hash_handle hh; /* makes this structure hashable */ }; @@ -136,6 +151,9 @@ FILE *trace = NULL; /********************** FUNCTIONS ********************* */ + + + /** * @brief Set main components necessary to the detection */ @@ -764,8 +782,99 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept /* *********************************************** */ -static void updatePortStats(struct port_stats **stats, u_int32_t port, u_int32_t num_pkts, u_int32_t num_bytes) { +int updateIpTree(const u_int32_t key, addr_node **vrootp){ + addr_node *q; + addr_node **rootp = vrootp; + + if(rootp == (addr_node **)0) + return 0; + + while (*rootp != (addr_node *)0) { /* Knuth's T1: */ + + if(key == ((*rootp)->addr)) { /* T2: */ + return ++((*rootp)->count); + } + + rootp = (key < ((*rootp)->addr)) ? + &(*rootp)->left : /* T3: follow left branch */ + &(*rootp)->right; /* T4: follow right branch */ + } + q = (addr_node *) malloc(sizeof(addr_node)); /* T5: key not found */ + if(q != (addr_node *)0) { /* make new node */ + *rootp = q; /* link new node to old */ + q->addr = key; /* initialize new node */ + q->count = 1; + q->left = q->right = (addr_node *)0; + return q->count; + } + +} + +/* *********************************************** */ + +void freeIpTree(addr_node *root) { + while (root != NULL) { + addr_node *left = root->left; + if (left == NULL) { + addr_node *right = root->right; + root->right = NULL; + root = right; + } else { + /* Rotate the left child up.*/ + root->left = left->right; + left->right = root; + root = left; + } + } +} + +/* *********************************************** */ + +void updateTopIpAddress(u_int32_t addr, int count, struct info_pair top[], int size){ + int update = 0; + int min_i = 0; + int min = count; + + if(count == 0) return; + + struct info_pair pair; + pair.addr = addr, pair.count = count; + + /* if the same ip with a bigger + count just update it */ + for(int i=0; iport = port, s->num_pkts = 0, s->num_bytes = 0; + s->num_addr = 1, s->cumulative_addr = 1; + + memset(s->top_ip_addrs, 0, MAX_NUM_IP_ADDRESS*sizeof(struct info_pair)); + updateTopIpAddress(addr, 1, s->top_ip_addrs, MAX_NUM_IP_ADDRESS); + + s->addr_tree = (addr_node *) malloc(sizeof(addr_node)); + if(!s->addr_tree) return; + + s->addr_tree->addr = addr; + s->addr_tree->count = 1; + s->addr_tree->left = NULL; + s->addr_tree->right = NULL; + HASH_ADD_INT(*stats, port, s); } + int count = updateIpTree(addr, &(*s).addr_tree); + if(count == UPDATED_TREE) s->num_addr++; + if(count) { + s->cumulative_addr++; + updateTopIpAddress(addr, count, s->top_ip_addrs, MAX_NUM_IP_ADDRESS); + } + s->num_pkts += num_pkts, s->num_bytes += num_bytes; + } /* *********************************************** */ @@ -786,6 +916,8 @@ static void deletePortsStats(struct port_stats *stats) { HASH_ITER(hh, stats, current_port, tmp) { HASH_DEL(stats, current_port); + freeIpTree(current_port->addr_tree); + free(current_port->addr_tree); free(current_port); } } @@ -798,14 +930,18 @@ static void deletePortsStats(struct port_stats *stats) { static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) { struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node; u_int16_t sport, dport; + u_int32_t saddr, daddr; - if(flow->src_to_dst_direction == 1) - sport = ntohs(flow->lower_port), dport = ntohs(flow->upper_port); - else - sport = ntohs(flow->upper_port), dport = ntohs(flow->lower_port); - - updatePortStats(&srcStats, sport, flow->packets, flow->bytes); - updatePortStats(&dstStats, dport, flow->packets, flow->bytes); + if(flow->src_to_dst_direction == 1) { + sport = ntohs(flow->lower_port), dport = ntohs(flow->upper_port); + saddr = flow->lower_ip, daddr = flow->upper_ip; + } + else { + sport = ntohs(flow->upper_port), dport = ntohs(flow->lower_port); + saddr = flow->upper_ip, daddr = flow->lower_ip; + } + updatePortStats(&srcStats, sport, saddr, flow->packets, flow->bytes); + updatePortStats(&dstStats, dport, daddr, flow->packets, flow->bytes); } /* *********************************************** */ @@ -1050,13 +1186,38 @@ static int port_stats_sort(void *_a, void *_b) { /* *********************************************** */ +static int info_pair_cmp (const void *_a, const void *_b) +{ + struct info_pair *a = (struct info_pair *)_a; + struct info_pair *b = (struct info_pair *)_b; + return b->count - a->count; +} + +/* *********************************************** */ + void printPortStats(struct port_stats *stats) { struct port_stats *s, *tmp; + char ip_name[48]; int i = 0; + int first = 1; + HASH_ITER(hh, stats, s, tmp) { i++; - printf("\t%2d\tPort %5u\t[%u pkts/%u bytes]\n", i, s->port, s->num_pkts, s->num_bytes); + printf("\t%2d\tPort %5u\t[%u IP address/%u pkts/%u bytes]\n", i, s->port, s->num_addr, s->num_pkts, s->num_bytes); + + qsort(&s->top_ip_addrs[0], MAX_NUM_IP_ADDRESS, sizeof(struct info_pair), info_pair_cmp); + + for(int i=0;itop_ip_addrs[i].count != 0) { + inet_ntop(AF_INET, &s->top_ip_addrs[i].addr, ip_name, sizeof(ip_name)); + printf("\t\t\t\t%s\t%s ~ %.2f%%\n", (first) ? "Top IP Stats:" : "\t", + ip_name, ((s->top_ip_addrs[i].count) * 100.0) / s->cumulative_addr); + first = 0; + } + } + printf("\n"); + first = 1; if(i >= 10) break; } } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 9d8f1e446..ca9f20274 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -38,7 +38,8 @@ #define NUM_ROOTS 512 #define MAX_NDPI_FLOWS 200000000 #define TICK_RESOLUTION 1000 - +#define MAX_NUM_IP_ADDRESS 5 /* len of ip address array */ +#define UPDATED_TREE 1 // flow tracking typedef struct ndpi_flow_info { -- cgit v1.2.3 From 0091f35e024cd55413a4b84b095828020e578120 Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 17 May 2017 15:50:59 +0200 Subject: Reworked flow structure handler --- example/ndpiReader.c | 35 +++++---------- example/ndpi_util.c | 120 +++++++++++++++++++-------------------------------- example/ndpi_util.h | 5 ++- 3 files changed, 58 insertions(+), 102 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index de31b0ab4..001e60249 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -611,20 +611,13 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { fprintf(out, "\t%s ", ipProto2Name(flow->protocol)); - if(flow->src_to_dst_direction == 1) - fprintf(out, "%s%s%s:%u <-> %s%s%s:%u ", - (flow->ip_version == 6) ? "[" : "", - flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port), - (flow->ip_version == 6) ? "[" : "", - flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port) - ); - else - fprintf(out, "%s%s%s:%u <-> %s%s%s:%u ", - (flow->ip_version == 6) ? "[" : "", - flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port), - (flow->ip_version == 6) ? "[" : "", - flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port) - ); + fprintf(out, "%s%s%s:%u %s %s%s%s:%u ", + (flow->ip_version == 6) ? "[" : "", + flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port), + flow->bidirectional ? "<->" : "->", + (flow->ip_version == 6) ? "[" : "", + flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port) + ); if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); @@ -939,16 +932,10 @@ static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, voi char saddr[48]; char daddr[48]; - if(flow->src_to_dst_direction == 1) { - sport = ntohs(flow->lower_port), dport = ntohs(flow->upper_port); - strncpy(saddr, flow->lower_name, sizeof(saddr)); - strncpy(daddr, flow->upper_name, sizeof(daddr)); - } - else { - sport = ntohs(flow->upper_port), dport = ntohs(flow->lower_port); - strncpy(saddr, flow->upper_name, sizeof(saddr)); - strncpy(daddr, flow->lower_name, sizeof(daddr)); - } + sport = ntohs(flow->lower_port), dport = ntohs(flow->upper_port); + strncpy(saddr, flow->lower_name, sizeof(saddr)); + strncpy(daddr, flow->upper_name, sizeof(daddr)); + updatePortStats(&srcStats, sport, saddr, flow->packets, flow->bytes); updatePortStats(&dstStats, dport, daddr, flow->packets, flow->bytes); } diff --git a/example/ndpi_util.c b/example/ndpi_util.c index b07a41e03..53486229f 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -155,14 +155,36 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { struct ndpi_flow_info *fa = (struct ndpi_flow_info*)a; struct ndpi_flow_info *fb = (struct ndpi_flow_info*)b; - if(fa->vlan_id < fb->vlan_id ) return(-1); else { if(fa->vlan_id > fb->vlan_id ) return(1); } + if(fa->hashval < fb->hashval) return(-1); else if(fa->hashval > fb->hashval) return(1); + + /* Flows have the same hash */ + + if(fa->vlan_id < fb->vlan_id ) return(-1); else { if(fa->vlan_id > fb->vlan_id ) return(1); } + if(fa->protocol < fb->protocol ) return(-1); else { if(fa->protocol > fb->protocol ) return(1); } + + if( + ( + (fa->lower_ip == fb->lower_ip ) + && (fa->lower_port == fb->lower_port) + && (fa->upper_ip == fb->upper_ip ) + && (fa->upper_port == fb->upper_port) + ) + || + ( + (fa->lower_ip == fb->upper_ip ) + && (fa->lower_port == fb->upper_port) + && (fa->upper_ip == fb->lower_ip ) + && (fa->upper_port == fb->lower_port) + ) + ) + return(0); + if(fa->lower_ip < fb->lower_ip ) return(-1); else { if(fa->lower_ip > fb->lower_ip ) return(1); } if(fa->lower_port < fb->lower_port) return(-1); else { if(fa->lower_port > fb->lower_port) return(1); } if(fa->upper_ip < fb->upper_ip ) return(-1); else { if(fa->upper_ip > fb->upper_ip ) return(1); } if(fa->upper_port < fb->upper_port) return(-1); else { if(fa->upper_port > fb->upper_port) return(1); } - if(fa->protocol < fb->protocol ) return(-1); else { if(fa->protocol > fb->protocol ) return(1); } - - return(0); + + return(0); /* notreached */ } /* ***************************************************** */ @@ -202,11 +224,7 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow u_int8_t **payload, u_int16_t *payload_len, u_int8_t *src_to_dst_direction) { - u_int32_t idx, l4_offset; - u_int32_t lower_ip; - u_int32_t upper_ip; - u_int16_t lower_port; - u_int16_t upper_port; + u_int32_t idx, l4_offset, hashval; struct ndpi_flow_info flow; void *ret; u_int8_t *l3, *l4; @@ -246,14 +264,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow if(l4_packet_len > workflow->stats.max_packet_len) workflow->stats.max_packet_len = l4_packet_len; - if(iph->saddr < iph->daddr) { - lower_ip = iph->saddr; - upper_ip = iph->daddr; - } else { - lower_ip = iph->daddr; - upper_ip = iph->saddr; - } - *proto = iph->protocol; l4 = ((u_int8_t *) l3 + l4_offset); @@ -264,25 +274,6 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow workflow->stats.tcp_count++; *tcph = (struct ndpi_tcphdr *)l4; *sport = ntohs((*tcph)->source), *dport = ntohs((*tcph)->dest); - - if(iph->saddr < iph->daddr) { - lower_port = (*tcph)->source, upper_port = (*tcph)->dest; - *src_to_dst_direction = 1; - } else { - lower_port = (*tcph)->dest; - upper_port = (*tcph)->source; - - *src_to_dst_direction = 0; - if(iph->saddr == iph->daddr) { - if(lower_port > upper_port) { - u_int16_t p = lower_port; - - lower_port = upper_port; - upper_port = p; - } - } - } - tcp_len = ndpi_min(4*(*tcph)->doff, l4_packet_len); *payload = &l4[tcp_len]; *payload_len = ndpi_max(0, l4_packet_len-4*(*tcph)->doff); @@ -294,42 +285,16 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow *sport = ntohs((*udph)->source), *dport = ntohs((*udph)->dest); *payload = &l4[sizeof(struct ndpi_udphdr)]; *payload_len = ndpi_max(0, l4_packet_len-sizeof(struct ndpi_udphdr)); - - if(iph->saddr < iph->daddr) { - lower_port = (*udph)->source, upper_port = (*udph)->dest; - *src_to_dst_direction = 1; - } else { - lower_port = (*udph)->dest, upper_port = (*udph)->source; - - *src_to_dst_direction = 0; - - if(iph->saddr == iph->daddr) { - if(lower_port > upper_port) { - u_int16_t p = lower_port; - - lower_port = upper_port; - upper_port = p; - } - } - } - - *sport = ntohs(lower_port), *dport = ntohs(upper_port); } else { // non tcp/udp protocols - lower_port = 0; - upper_port = 0; - - *src_to_dst_direction = (iph->saddr < iph->daddr) ? 1 : 0; + *sport = *dport = 0; } flow.protocol = iph->protocol, flow.vlan_id = vlan_id; - flow.lower_ip = lower_ip, flow.upper_ip = upper_ip; - flow.lower_port = lower_port, flow.upper_port = upper_port; - - NDPI_LOG(0, workflow->ndpi_struct, NDPI_LOG_DEBUG, "[NDPI] [%u][%u:%u <-> %u:%u]\n", - iph->protocol, lower_ip, ntohs(lower_port), upper_ip, ntohs(upper_port)); - - idx = (vlan_id + lower_ip + upper_ip + iph->protocol + lower_port + upper_port) % workflow->prefs.num_roots; + flow.lower_ip = iph->saddr, flow.upper_ip = iph->daddr; + flow.lower_port = htons(*sport), flow.upper_port = htons(*dport); + flow.hashval = hashval = flow.protocol + flow.vlan_id + flow.lower_ip + flow.upper_ip + flow.lower_port + flow.upper_port; + idx = hashval % workflow->prefs.num_roots; ret = ndpi_tfind(&flow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp); if(ret == NULL) { @@ -347,15 +312,15 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow } memset(newflow, 0, sizeof(struct ndpi_flow_info)); + newflow->hashval = hashval; newflow->protocol = iph->protocol, newflow->vlan_id = vlan_id; - newflow->lower_ip = lower_ip, newflow->upper_ip = upper_ip; - newflow->lower_port = lower_port, newflow->upper_port = upper_port; + newflow->lower_ip = iph->saddr, newflow->upper_ip = iph->daddr; + newflow->lower_port = htons(*sport), newflow->upper_port = htons(*dport); newflow->ip_version = version; - newflow->src_to_dst_direction = *src_to_dst_direction; if(version == IPVERSION) { - inet_ntop(AF_INET, &lower_ip, newflow->lower_name, sizeof(newflow->lower_name)); - inet_ntop(AF_INET, &upper_ip, newflow->upper_name, sizeof(newflow->upper_name)); + inet_ntop(AF_INET, &newflow->lower_ip, newflow->lower_name, sizeof(newflow->lower_name)); + inet_ntop(AF_INET, &newflow->upper_ip, newflow->upper_name, sizeof(newflow->upper_name)); } else { inet_ntop(AF_INET6, &iph6->ip6_src, newflow->lower_name, sizeof(newflow->lower_name)); inet_ntop(AF_INET6, &iph6->ip6_dst, newflow->upper_name, sizeof(newflow->upper_name)); @@ -394,11 +359,14 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow } else { struct ndpi_flow_info *flow = *(struct ndpi_flow_info**)ret; - if(flow->lower_ip == lower_ip && flow->upper_ip == upper_ip - && flow->lower_port == lower_port && flow->upper_port == upper_port) - *src = flow->src_id, *dst = flow->dst_id; + if(flow->lower_ip == iph->saddr + && flow->upper_ip == iph->daddr + && flow->lower_port == htons(*sport) + && flow->upper_port == htons(*dport) + ) + *src = flow->src_id, *dst = flow->dst_id, *src_to_dst_direction = 1; else - *src = flow->dst_id, *dst = flow->src_id; + *src = flow->dst_id, *dst = flow->src_id, *src_to_dst_direction = 0, flow->bidirectional = 1; return flow; } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index ca9f20274..950f65f5a 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -43,11 +43,12 @@ // flow tracking typedef struct ndpi_flow_info { + u_int32_t hashval; u_int32_t lower_ip; u_int32_t upper_ip; u_int16_t lower_port; u_int16_t upper_port; - u_int8_t detection_completed, protocol, src_to_dst_direction; + u_int8_t detection_completed, protocol, bidirectional; u_int16_t vlan_id; struct ndpi_flow_struct *ndpi_flow; char lower_name[48], upper_name[48]; @@ -55,7 +56,7 @@ typedef struct ndpi_flow_info { u_int64_t last_seen; u_int64_t bytes; u_int32_t packets; - + // result only, not used for flow identification ndpi_protocol detected_protocol; -- cgit v1.2.3 From 6f27a4872198569d82e49a538c5eeb26e97558c7 Mon Sep 17 00:00:00 2001 From: berat Date: Fri, 19 May 2017 23:26:02 +0200 Subject: Added -b for saving port based diagnose statistics in json --- example/ndpiReader.c | 180 +++++++++++++++++++++++++++++++++++++++++++++++++-- example/ndpi_util.h | 3 + 2 files changed, 179 insertions(+), 4 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index e4f6b917f..45f2d89c6 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -59,6 +59,7 @@ static FILE *results_file = NULL; static char *results_path = NULL; static char *_bpf_filter = NULL; /**< bpf filter */ static char *_protoFilePath = NULL; /**< Protocol file path */ +static char *_statsFilePath = NULL; /**< Top stats file path */ #ifdef HAVE_JSON_C static char *_jsonFilePath = NULL; /**< JSON file path */ #endif @@ -69,6 +70,7 @@ static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; /** User preferences **/ static u_int8_t enable_protocol_guess = 1, verbose = 0, nDPI_traceLevel = 0, json_flag = 0; +static u_int8_t stats_flag = 0, file_first_time = 1; static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; @@ -86,12 +88,14 @@ static u_int32_t num_flows; struct info_pair{ char addr[48]; + char protocol[64]; /*l4 protocol*/ int count; }; typedef struct node_a{ char addr[48]; int count; + char protocol[64]; /*l4 protocol*/ struct node_a *left, *right; }addr_node; @@ -107,6 +111,20 @@ struct port_stats { struct port_stats *srcStats = NULL, *dstStats = NULL; +// struct to hold port based top statistics +struct top_stats { + u_int32_t port; /* we'll use this field as the key */ + char top_ip[48]; /*ip address that is contributed to > 95% of traffic*/ + char protocol[64]; /*application level protocol of top_ip */ + u_int32_t num_pkts; + float prcnt_pkt; /*percent of packets respect to total packets */ + u_int32_t num_addr; /*to hold number of distinct IP addresses */ + UT_hash_handle hh; /* makes this structure hashable */ +}; + +struct top_stats *topSrcStats = NULL, *topDstStats = NULL; + + struct ndpi_packet_trailer { u_int32_t magic; /* 0x19682017 */ u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; @@ -189,7 +207,8 @@ static void help(u_int long_help) { " -v <1|2|3> | Verbose 'unknown protocol' packet print.\n" " | 1 = verbose\n" " | 2 = very verbose\n" - " | 3 = port stats\n"); + " | 3 = port stats\n" + " -b | Specify a file to write port based diagnose statistics\n"); #ifndef WIN32 printf("\nExcap (wireshark) options:\n" @@ -360,7 +379,7 @@ static void parseOptions(int argc, char **argv) { if(trace) fprintf(trace, " #### %s #### \n", __FUNCTION__); #endif - while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:m:", longopts, &option_idx)) != EOF) { + while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:m:b:", longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); #endif @@ -375,6 +394,16 @@ static void parseOptions(int argc, char **argv) { _pcap_file[0] = optarg; break; + case 'b': +#ifndef HAVE_JSON_C + printf("WARNING: this copy of ndpiReader has been compiled without JSON-C: json export disabled\n"); +#else + _statsFilePath = optarg; + printf("FILE PATH %s\n",_statsFilePath); + stats_flag = 1; +#endif + break; + case 'm': pcap_analysis_duration = atol(optarg); break; @@ -1189,6 +1218,122 @@ static int info_pair_cmp (const void *_a, const void *_b) /* *********************************************** */ +static int top_stats_sort(void *_a, void *_b) { + struct top_stats *a = (struct top_stats*)_a; + struct top_stats *b = (struct top_stats*)_b; + + return(b->num_addr - a->num_addr); +} + +/* *********************************************** */ + +static void deleteTopStats(struct top_stats *stats) { + struct top_stats *current_port, *tmp; + + HASH_ITER(hh, stats, current_port, tmp) { + HASH_DEL(stats, current_port); + free(current_port); + } +} + +/* *********************************************** */ + +/** + * @brief Get port based top statistics + */ +static int getTopStats(struct top_stats **topStats, struct port_stats *stats, u_int64_t total_packet_count){ + struct top_stats *s; + struct port_stats *sp, *tmp; + struct info_pair inf; + float pkt_burst; + u_int64_t total_ip_addrs = 0; + + /* stats are ordered by packet number */ + HASH_ITER(hh, stats, sp, tmp){ + s = (struct top_stats *)malloc(sizeof(struct top_stats)); + memset(s, 0, sizeof(struct top_stats)); + + s->port = sp->port; + s->num_pkts = sp->num_pkts; + s->prcnt_pkt = (sp->num_pkts*100.0)/total_packet_count; + s->num_addr = sp->num_addr; + + qsort(&sp->top_ip_addrs[0], MAX_NUM_IP_ADDRESS, sizeof(struct info_pair), info_pair_cmp); + inf = sp->top_ip_addrs[0]; + + if(((inf.count * 100.0)/sp->cumulative_addr) > AGGRESSIVE_PERCENT){ + strncpy(s->top_ip, inf.addr, sizeof(s->top_ip)); + strncpy(s->protocol, inf.protocol, sizeof(s->protocol)); + } + + HASH_ADD_INT(*topStats, port, s); + + total_ip_addrs += sp->num_addr; + } + + return total_ip_addrs; + +} + +/* *********************************************** */ + +/* + * @brief Save Top Stats in json format + */ +static void saveTopStats(FILE *fp, struct top_stats *stats, int direction, u_int64_t total_ip_addr){ +#ifdef HAVE_JSON_C + struct top_stats *s, *tmp; + json_object *jsMain = json_object_new_object(); + json_object *jArray_filters = json_object_new_array(); + int i = 0; + + /* stats for packet burst diagnose */ + HASH_ITER(hh, stats, s, tmp) { + + if(s->top_ip[0] != '\0'){ + json_object *jObj_topStats = json_object_new_object(); + json_object_object_add(jObj_topStats,"port",json_object_new_int(s->port)); + json_object_object_add(jObj_topStats,"packets.number",json_object_new_int64(s->num_pkts)); + json_object_object_add(jObj_topStats,"packets.percent",json_object_new_double(s->prcnt_pkt)); + json_object_object_add(jObj_topStats,"aggressive.ip",json_object_new_string(s->top_ip)); + + json_object_array_add(jArray_filters,jObj_topStats); + i++; + + if(i >= 10) break; + } + } + + json_object_object_add(jsMain, (direction == DIR_SRC) ? "top.src.pckt.stats" : "top.dst.pckt.stats", jArray_filters); + + /*sort top stats by ip addr count*/ + HASH_SORT(stats, top_stats_sort); + + jArray_filters = json_object_new_array(); + i=0; + + /* stats for ip burst diagnose */ + HASH_ITER(hh, stats, s, tmp) { + + json_object *jObj_topStats = json_object_new_object(); + json_object_object_add(jObj_topStats,"port",json_object_new_int(s->port)); + json_object_object_add(jObj_topStats,"ip.total",json_object_new_int64(s->num_addr)); + json_object_object_add(jObj_topStats,"ip.percent",json_object_new_double((s->num_addr*100.0)/total_ip_addr)); + + json_object_array_add(jArray_filters,jObj_topStats); + i++; + + if(i >= 10) break; + } + + json_object_object_add(jsMain, (direction == DIR_SRC) ? "top.src.ip.stats" : "top.dst.ip.stats", jArray_filters); + + fprintf(fp,"%s\n",json_object_to_json_string(jsMain)); +#endif +} + +/* *********************************************** */ + void printPortStats(struct port_stats *stats) { struct port_stats *s, *tmp; int i = 0, j = 0; @@ -1226,6 +1371,7 @@ static void printResults(u_int64_t tot_usec) { char buf[32]; #ifdef HAVE_JSON_C FILE *json_fp = NULL; + FILE *stats_fp = NULL; json_object *jObj_main = NULL, *jObj_trafficStats, *jArray_detProto = NULL, *jObj; #endif long long unsigned int breed_stats[NUM_BREEDS] = { 0 }; @@ -1239,10 +1385,10 @@ static void printResults(u_int64_t tot_usec) { for(i=0; indpi_flows_root[i], node_proto_guess_walker, &thread_id); - if(verbose == 3) ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], port_stats_walker, &thread_id); + if(verbose == 3 || stats_flag) ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], port_stats_walker, &thread_id); } - if(verbose == 3) { + if(verbose == 3 || stats_flag) { HASH_SORT(srcStats, port_stats_sort); HASH_SORT(dstStats, port_stats_sort); } @@ -1475,6 +1621,32 @@ static void printResults(u_int64_t tot_usec) { #endif } + + if(stats_flag) { +#ifdef HAVE_JSON_C + u_int64_t total_src_addr = getTopStats(&topSrcStats, srcStats, cumulative_stats.ip_packet_count); + u_int64_t total_dst_addr = getTopStats(&topDstStats, dstStats, cumulative_stats.ip_packet_count); + + if(file_first_time && (stats_fp = fopen(_statsFilePath,"w")) == NULL || + !file_first_time && (stats_fp = fopen(_statsFilePath,"a")) == NULL) { + printf("Error creating file %s\n", _statsFilePath); + stats_flag = 0; + } + else { + file_first_time = 0; + + saveTopStats(stats_fp, topSrcStats, DIR_SRC, total_src_addr); + saveTopStats(stats_fp, topDstStats, DIR_DST, total_dst_addr); + + fclose(stats_fp); + + deleteTopStats(topSrcStats), deleteTopStats(topDstStats); + topSrcStats = NULL, topDstStats = NULL; + } +#endif + } + + if(verbose == 3) { printf("\n\nSource Ports Stats:\n"); printPortStats(srcStats); diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 950f65f5a..e8d301acb 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -40,6 +40,9 @@ #define TICK_RESOLUTION 1000 #define MAX_NUM_IP_ADDRESS 5 /* len of ip address array */ #define UPDATED_TREE 1 +#define AGGRESSIVE_PERCENT 95.00 +#define DIR_SRC 10 +#define DIR_DST 20 // flow tracking typedef struct ndpi_flow_info { -- cgit v1.2.3 From 26bd42a71c249575837021d5d8a6ae4c5bfa57b6 Mon Sep 17 00:00:00 2001 From: Alfredo Cardigliano Date: Tue, 23 May 2017 18:02:53 +0200 Subject: crc32 fix --- example/ndpiReader.c | 7 +++---- example/ndpi_util.c | 34 +++++++++++++++++----------------- example/ndpi_util.h | 2 +- 3 files changed, 21 insertions(+), 22 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index a1fa6f318..6aed8ec88 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1788,7 +1788,6 @@ static pcap_t * openPcapFileOrDevice(u_int16_t thread_id, const u_char * pcap_fi return pcap_handle; } - /** * @brief Check pcap packet */ @@ -1868,9 +1867,9 @@ static void pcap_process_packet(u_char *args, trailer->master_protocol = htons(p.master_protocol), trailer->app_protocol = htons(p.app_protocol); ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, p, trailer->name, sizeof(trailer->name)); crc = (uint32_t*)&extcap_buf[h.caplen+sizeof(struct ndpi_packet_trailer)]; - *crc = 0; - ethernet_crc32((const void*)extcap_buf, h.caplen+sizeof(struct ndpi_packet_trailer), crc); - h.caplen += delta, h.len += delta; + *crc = ethernet_crc32((const void*)extcap_buf, h.caplen+sizeof(struct ndpi_packet_trailer)); + h.caplen += delta; + h.len += delta; #ifdef DEBUG_TRACE if(trace) fprintf(trace, "Dumping %u bytes packet\n", h.caplen); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index d6836176a..1e7e498d0 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -884,10 +884,8 @@ struct ndpi_proto ndpi_workflow_process_packet (struct ndpi_workflow * workflow, /* ********************************************************** */ static uint32_t crc32_for_byte(uint32_t r) { - int j; - - for(j = 0; j < 8; ++j) - r = ((r & 1) ? 0 : ((uint32_t)0xEDB88320L) ^ r >> 1); + for(int j = 0; j < 8; ++j) + r = (r & 1? 0: (uint32_t)0xEDB88320L) ^ r >> 1; return r ^ (uint32_t)0xFF000000L; } @@ -897,31 +895,33 @@ static uint32_t crc32_for_byte(uint32_t r) { typedef unsigned long accum_t; static void init_tables(uint32_t* table, uint32_t* wtable) { - size_t i, k, w, j; - - for(i = 0; i < 0x100; ++i) + for(size_t i = 0; i < 0x100; ++i) table[i] = crc32_for_byte(i); - for(k = 0; k < sizeof(accum_t); ++k) - for(i = 0; i < 0x100; ++i) { - for(j = w = 0; j < sizeof(accum_t); ++j) + for(size_t k = 0; k < sizeof(accum_t); ++k) + for(size_t w, i = 0; i < 0x100; ++i) { + for(size_t j = w = 0; j < sizeof(accum_t); ++j) w = table[(uint8_t)(j == k? w ^ i: w)] ^ w >> 8; wtable[(k << 8) + i] = w ^ (k? wtable[0]: 0); } } -void ethernet_crc32(const void* data, size_t n_bytes, uint32_t* crc) { +static void __crc32(const void* data, size_t n_bytes, uint32_t* crc) { static uint32_t table[0x100], wtable[0x100*sizeof(accum_t)]; size_t n_accum = n_bytes/sizeof(accum_t); - size_t i, j; - if(!*table) init_tables(table, wtable); - for(i = 0; i < n_accum; ++i) { + for(size_t i = 0; i < n_accum; ++i) { accum_t a = *crc ^ ((accum_t*)data)[i]; - for(j = *crc = 0; j < sizeof(accum_t); ++j) + for(size_t j = *crc = 0; j < sizeof(accum_t); ++j) *crc ^= wtable[(j << 8) + (uint8_t)(a >> 8*j)]; } - - for(i = n_accum*sizeof(accum_t); i < n_bytes; ++i) + for(size_t i = n_accum*sizeof(accum_t); i < n_bytes; ++i) *crc = table[(uint8_t)*crc ^ ((uint8_t*)data)[i]] ^ *crc >> 8; } + +u_int32_t ethernet_crc32(const void* data, size_t n_bytes) { + u_int32_t crc = 0; + __crc32(data, n_bytes, &crc); + return crc; +} + diff --git a/example/ndpi_util.h b/example/ndpi_util.h index e8d301acb..d7fdd9928 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -165,6 +165,6 @@ static inline void ndpi_workflow_set_flow_giveup_callback(struct ndpi_workflow * /* compare two nodes in workflow */ int ndpi_workflow_node_cmp(const void *a, const void *b); void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); -void ethernet_crc32(const void* data, size_t n_bytes, uint32_t* crc); +u_int32_t ethernet_crc32(const void* data, size_t n_bytes); void ndpi_flow_info_freer(void *node); #endif -- cgit v1.2.3 From 904210e87cc792d48b610356647995f506c15e4e Mon Sep 17 00:00:00 2001 From: Luca Deri Date: Wed, 24 May 2017 16:06:23 +0200 Subject: Split src2dst / dst2src traffic --- example/Makefile.am | 2 +- example/ndpiReader.c | 35 ++++++++++++++++++++--------------- example/ndpi_util.c | 11 ++++++++--- example/ndpi_util.h | 4 ++-- 4 files changed, 31 insertions(+), 21 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/Makefile.am b/example/Makefile.am index 1a0570b1f..1a2bf453d 100644 --- a/example/Makefile.am +++ b/example/Makefile.am @@ -3,7 +3,7 @@ bin_PROGRAMS = ndpiReader AM_CPPFLAGS = -I$(top_srcdir)/src/include @PCAP_INC@ AM_CFLAGS = @PTHREAD_CFLAGS@ # --coverage -LDADD = $(top_builddir)/src/lib/libndpi.la @JSON_C_LIB@ @PTHREAD_LIBS@ @PCAP_LIB@ @DL_LIB@ +LDADD = $(top_builddir)/src/lib/libndpi.la @JSON_C_LIB@ @PTHREAD_LIBS@ @PCAP_LIB@ @DL_LIB@ -lm AM_LDFLAGS = -static @DL_LIB@ ndpiReader_SOURCES = ndpiReader.c ndpi_util.c ndpi_util.h diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 6aed8ec88..6346dca01 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -42,6 +42,7 @@ #include #include #include +#include #include "../config.h" #include "ndpi_api.h" #include "uthash.h" @@ -662,8 +663,10 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { flow->detected_protocol.app_protocol, ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol.app_protocol)); - fprintf(out, "[%u pkts/%llu bytes]", - flow->packets, (long long unsigned int) flow->bytes); + fprintf(out, "[%u pkts/%llu bytes ", flow->src2dst_packets, (long long unsigned int) flow->src2dst_bytes); + fprintf(out, "%s %u pkts/%llu bytes]", + (flow->dst2src_packets > 0) ? "<->" : "->", + flow->dst2src_packets, (long long unsigned int) flow->dst2src_bytes); if(flow->host_server_name[0] != '\0') fprintf(out, "[Host: %s]", flow->host_server_name); if(flow->info[0] != '\0') fprintf(out, "[%s]", flow->info); @@ -702,8 +705,8 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { json_object_new_string(ndpi_get_proto_name(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol.app_protocol))); - json_object_object_add(jObj,"packets",json_object_new_int(flow->packets)); - json_object_object_add(jObj,"bytes",json_object_new_int(flow->bytes)); + json_object_object_add(jObj,"packets",json_object_new_int(flow->src2dst_packets + flow->dst2src_packets)); + json_object_object_add(jObj,"bytes",json_object_new_int(flow->src2dst_bytes + flow->dst2src_bytes)); if(flow->host_server_name[0] != '\0') json_object_object_add(jObj,"host.server.name",json_object_new_string(flow->host_server_name)); @@ -796,8 +799,8 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept } process_ndpi_collected_info(ndpi_thread_info[thread_id].workflow, flow); - ndpi_thread_info[thread_id].workflow->stats.protocol_counter[flow->detected_protocol.app_protocol] += flow->packets; - ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[flow->detected_protocol.app_protocol] += flow->bytes; + ndpi_thread_info[thread_id].workflow->stats.protocol_counter[flow->detected_protocol.app_protocol] += flow->src2dst_packets + flow->dst2src_packets; + ndpi_thread_info[thread_id].workflow->stats.protocol_counter_bytes[flow->detected_protocol.app_protocol] += flow->src2dst_bytes + flow->dst2src_bytes; ndpi_thread_info[thread_id].workflow->stats.protocol_flows[flow->detected_protocol.app_protocol]++; } } @@ -898,17 +901,20 @@ void updateTopIpAddress(const char *addr, int count, struct info_pair top[], int } /* *********************************************** */ -static void updatePortStats(struct port_stats **stats, u_int32_t port, const char *addr, u_int32_t num_pkts, u_int32_t num_bytes) { + +static void updatePortStats(struct port_stats **stats, u_int32_t port, + const char *addr, u_int32_t num_pkts, + u_int32_t num_bytes) { struct port_stats *s; - int count=0; + int count = 0; HASH_FIND_INT(*stats, &port, s); if(s == NULL) { s = (struct port_stats*)malloc(sizeof(struct port_stats)); if(!s) return; - s->port = port, s->num_pkts = num_pkts, s->num_bytes = num_bytes; - s->num_addr = 1, s->cumulative_addr = 1; + s->port = port, s->num_pkts = num_pkts, s->num_bytes = num_bytes, + s->num_addr = 1, s->cumulative_addr = 1; memset(s->top_ip_addrs, 0, MAX_NUM_IP_ADDRESS*sizeof(struct info_pair)); updateTopIpAddress(addr, 1, s->top_ip_addrs, MAX_NUM_IP_ADDRESS); @@ -958,15 +964,14 @@ static void deletePortsStats(struct port_stats *stats) { static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) { struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node; u_int16_t sport, dport; - char saddr[48]; - char daddr[48]; + char saddr[48], daddr[48]; sport = ntohs(flow->lower_port), dport = ntohs(flow->upper_port); strncpy(saddr, flow->lower_name, sizeof(saddr)); strncpy(daddr, flow->upper_name, sizeof(daddr)); - updatePortStats(&srcStats, sport, saddr, flow->packets, flow->bytes); - updatePortStats(&dstStats, dport, daddr, flow->packets, flow->bytes); + updatePortStats(&srcStats, sport, saddr, flow->src2dst_packets, flow->src2dst_bytes); + if(flow->dst2src_packets > 0) updatePortStats(&dstStats, dport, daddr, flow->dst2src_packets, flow->dst2src_bytes); } /* *********************************************** */ @@ -1257,7 +1262,7 @@ static int getTopStats(struct top_stats **topStats, struct port_stats *stats, u_ s->port = sp->port; s->num_pkts = sp->num_pkts; - s->prcnt_pkt = (sp->num_pkts*100.0)/total_packet_count; + s->prcnt_pkt = (sp->num_pkts*100.0)/total_packet_count; s->num_addr = sp->num_addr; qsort(&sp->top_ip_addrs[0], MAX_NUM_IP_ADDRESS, sizeof(struct info_pair), info_pair_cmp); diff --git a/example/ndpi_util.c b/example/ndpi_util.c index e90400b8f..ef4353e81 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -511,7 +511,12 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, workflow->stats.total_wire_bytes += rawsize + 24 /* CRC etc */, workflow->stats.total_ip_bytes += rawsize; ndpi_flow = flow->ndpi_flow; - flow->packets++, flow->bytes += rawsize; + + if(src_to_dst_direction) + flow->src2dst_packets++, flow->src2dst_bytes += rawsize; + else + flow->dst2src_packets++, flow->dst2src_bytes += rawsize; + flow->last_seen = time; } else { // flow is NULL workflow->stats.total_discarded_bytes++; @@ -526,8 +531,8 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, ipsize, time, src, dst); if((flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) - || ((proto == IPPROTO_UDP) && (flow->packets > 8)) - || ((proto == IPPROTO_TCP) && (flow->packets > 10))) { + || ((proto == IPPROTO_UDP) && ((flow->src2dst_packets + flow->dst2src_packets) > 8)) + || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { /* New protocol detected or give up */ flow->detection_completed = 1; diff --git a/example/ndpi_util.h b/example/ndpi_util.h index d7fdd9928..f1807e56a 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -57,8 +57,8 @@ typedef struct ndpi_flow_info { char lower_name[48], upper_name[48]; u_int8_t ip_version; u_int64_t last_seen; - u_int64_t bytes; - u_int32_t packets; + u_int64_t src2dst_bytes, dst2src_bytes; + u_int32_t src2dst_packets, dst2src_packets; // result only, not used for flow identification ndpi_protocol detected_protocol; -- cgit v1.2.3 From 993605d4f38e6e63a9ca6fee14a60688ae9df0de Mon Sep 17 00:00:00 2001 From: Luca Date: Wed, 24 May 2017 18:53:51 +0200 Subject: Fixed bug that was forcing the reader to pass several times the same flow renamed some variables --- example/ndpiReader.c | 43 +++++++++++++++++++++++-------------------- example/ndpi_util.c | 52 ++++++++++++++++++++++++++-------------------------- example/ndpi_util.h | 10 +++++----- 3 files changed, 54 insertions(+), 51 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 6346dca01..6184ea380 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -643,10 +643,10 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { fprintf(out, "%s%s%s:%u %s %s%s%s:%u ", (flow->ip_version == 6) ? "[" : "", - flow->lower_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->lower_port), + flow->src_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->src_port), flow->bidirectional ? "<->" : "->", (flow->ip_version == 6) ? "[" : "", - flow->upper_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->upper_port) + flow->dst_name, (flow->ip_version == 6) ? "]" : "", ntohs(flow->dst_port) ); if(flow->vlan_id > 0) fprintf(out, "[VLAN: %u]", flow->vlan_id); @@ -681,10 +681,10 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { jObj = json_object_new_object(); json_object_object_add(jObj,"protocol",json_object_new_string(ipProto2Name(flow->protocol))); - json_object_object_add(jObj,"host_a.name",json_object_new_string(flow->lower_name)); - json_object_object_add(jObj,"host_a.port",json_object_new_int(ntohs(flow->lower_port))); - json_object_object_add(jObj,"host_b.name",json_object_new_string(flow->upper_name)); - json_object_object_add(jObj,"host_b.port",json_object_new_int(ntohs(flow->upper_port))); + json_object_object_add(jObj,"host_a.name",json_object_new_string(flow->src_name)); + json_object_object_add(jObj,"host_a.port",json_object_new_int(ntohs(flow->src_port))); + json_object_object_add(jObj,"host_b.name",json_object_new_string(flow->dst_name)); + json_object_object_add(jObj,"host_b.port",json_object_new_int(ntohs(flow->dst_port))); if(flow->detected_protocol.master_protocol) json_object_object_add(jObj,"detected.master_protocol",json_object_new_int(flow->detected_protocol.master_protocol)); @@ -768,10 +768,10 @@ static u_int16_t node_guess_undetected_protocol(u_int16_t thread_id, struct ndpi flow->detected_protocol = ndpi_guess_undetected_protocol(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->protocol, - ntohl(flow->lower_ip), - ntohs(flow->lower_port), - ntohl(flow->upper_ip), - ntohs(flow->upper_port)); + ntohl(flow->src_ip), + ntohs(flow->src_port), + ntohl(flow->dst_ip), + ntohs(flow->dst_port)); // printf("Guess state: %u\n", flow->detected_protocol); if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) ndpi_thread_info[thread_id].workflow->stats.guessed_flow_protocols++; @@ -806,6 +806,7 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept } /* *********************************************** */ + int updateIpTree(const char *key, addr_node **vrootp) { addr_node *q; addr_node **rootp = vrootp; @@ -962,16 +963,18 @@ static void deletePortsStats(struct port_stats *stats) { * @brief Ports stats */ static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, void *user_data) { - struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node; - u_int16_t sport, dport; - char saddr[48], daddr[48]; - - sport = ntohs(flow->lower_port), dport = ntohs(flow->upper_port); - strncpy(saddr, flow->lower_name, sizeof(saddr)); - strncpy(daddr, flow->upper_name, sizeof(daddr)); - - updatePortStats(&srcStats, sport, saddr, flow->src2dst_packets, flow->src2dst_bytes); - if(flow->dst2src_packets > 0) updatePortStats(&dstStats, dport, daddr, flow->dst2src_packets, flow->dst2src_bytes); + if((which == ndpi_preorder) || (which == ndpi_leaf)) { /* Avoid walking the same node multiple times */ + struct ndpi_flow_info *flow = *(struct ndpi_flow_info **) node; + u_int16_t sport, dport; + char saddr[48], daddr[48]; + + sport = ntohs(flow->src_port), dport = ntohs(flow->dst_port); + strncpy(saddr, flow->src_name, sizeof(saddr)); + strncpy(daddr, flow->dst_name, sizeof(daddr)); + + updatePortStats(&srcStats, sport, saddr, flow->src2dst_packets, flow->src2dst_bytes); + if(flow->dst2src_packets > 0) updatePortStats(&dstStats, dport, daddr, flow->dst2src_packets, flow->dst2src_bytes); + } } /* *********************************************** */ diff --git a/example/ndpi_util.c b/example/ndpi_util.c index ef4353e81..75bab6319 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -164,25 +164,25 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { if( ( - (fa->lower_ip == fb->lower_ip ) - && (fa->lower_port == fb->lower_port) - && (fa->upper_ip == fb->upper_ip ) - && (fa->upper_port == fb->upper_port) + (fa->src_ip == fb->src_ip ) + && (fa->src_port == fb->src_port) + && (fa->dst_ip == fb->dst_ip ) + && (fa->dst_port == fb->dst_port) ) || ( - (fa->lower_ip == fb->upper_ip ) - && (fa->lower_port == fb->upper_port) - && (fa->upper_ip == fb->lower_ip ) - && (fa->upper_port == fb->lower_port) + (fa->src_ip == fb->dst_ip ) + && (fa->src_port == fb->dst_port) + && (fa->dst_ip == fb->src_ip ) + && (fa->dst_port == fb->src_port) ) ) return(0); - if(fa->lower_ip < fb->lower_ip ) return(-1); else { if(fa->lower_ip > fb->lower_ip ) return(1); } - if(fa->lower_port < fb->lower_port) return(-1); else { if(fa->lower_port > fb->lower_port) return(1); } - if(fa->upper_ip < fb->upper_ip ) return(-1); else { if(fa->upper_ip > fb->upper_ip ) return(1); } - if(fa->upper_port < fb->upper_port) return(-1); else { if(fa->upper_port > fb->upper_port) return(1); } + if(fa->src_ip < fb->src_ip ) return(-1); else { if(fa->src_ip > fb->src_ip ) return(1); } + if(fa->src_port < fb->src_port) return(-1); else { if(fa->src_port > fb->src_port) return(1); } + if(fa->dst_ip < fb->dst_ip ) return(-1); else { if(fa->dst_ip > fb->dst_ip ) return(1); } + if(fa->dst_port < fb->dst_port) return(-1); else { if(fa->dst_port > fb->dst_port) return(1); } return(0); /* notreached */ } @@ -291,9 +291,9 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow } flow.protocol = iph->protocol, flow.vlan_id = vlan_id; - flow.lower_ip = iph->saddr, flow.upper_ip = iph->daddr; - flow.lower_port = htons(*sport), flow.upper_port = htons(*dport); - flow.hashval = hashval = flow.protocol + flow.vlan_id + flow.lower_ip + flow.upper_ip + flow.lower_port + flow.upper_port; + flow.src_ip = iph->saddr, flow.dst_ip = iph->daddr; + flow.src_port = htons(*sport), flow.dst_port = htons(*dport); + flow.hashval = hashval = flow.protocol + flow.vlan_id + flow.src_ip + flow.dst_ip + flow.src_port + flow.dst_port; idx = hashval % workflow->prefs.num_roots; ret = ndpi_tfind(&flow, &workflow->ndpi_flows_root[idx], ndpi_workflow_node_cmp); @@ -314,18 +314,18 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow memset(newflow, 0, sizeof(struct ndpi_flow_info)); newflow->hashval = hashval; newflow->protocol = iph->protocol, newflow->vlan_id = vlan_id; - newflow->lower_ip = iph->saddr, newflow->upper_ip = iph->daddr; - newflow->lower_port = htons(*sport), newflow->upper_port = htons(*dport); + newflow->src_ip = iph->saddr, newflow->dst_ip = iph->daddr; + newflow->src_port = htons(*sport), newflow->dst_port = htons(*dport); newflow->ip_version = version; if(version == IPVERSION) { - inet_ntop(AF_INET, &newflow->lower_ip, newflow->lower_name, sizeof(newflow->lower_name)); - inet_ntop(AF_INET, &newflow->upper_ip, newflow->upper_name, sizeof(newflow->upper_name)); + inet_ntop(AF_INET, &newflow->src_ip, newflow->src_name, sizeof(newflow->src_name)); + inet_ntop(AF_INET, &newflow->dst_ip, newflow->dst_name, sizeof(newflow->dst_name)); } else { - inet_ntop(AF_INET6, &iph6->ip6_src, newflow->lower_name, sizeof(newflow->lower_name)); - inet_ntop(AF_INET6, &iph6->ip6_dst, newflow->upper_name, sizeof(newflow->upper_name)); + inet_ntop(AF_INET6, &iph6->ip6_src, newflow->src_name, sizeof(newflow->src_name)); + inet_ntop(AF_INET6, &iph6->ip6_dst, newflow->dst_name, sizeof(newflow->dst_name)); /* For consistency across platforms replace :0: with :: */ - patchIPv6Address(newflow->lower_name), patchIPv6Address(newflow->upper_name); + patchIPv6Address(newflow->src_name), patchIPv6Address(newflow->dst_name); } if((newflow->ndpi_flow = ndpi_flow_malloc(SIZEOF_FLOW_STRUCT)) == NULL) { @@ -359,10 +359,10 @@ static struct ndpi_flow_info *get_ndpi_flow_info(struct ndpi_workflow * workflow } else { struct ndpi_flow_info *flow = *(struct ndpi_flow_info**)ret; - if(flow->lower_ip == iph->saddr - && flow->upper_ip == iph->daddr - && flow->lower_port == htons(*sport) - && flow->upper_port == htons(*dport) + if(flow->src_ip == iph->saddr + && flow->dst_ip == iph->daddr + && flow->src_port == htons(*sport) + && flow->dst_port == htons(*dport) ) *src = flow->src_id, *dst = flow->dst_id, *src_to_dst_direction = 1; else diff --git a/example/ndpi_util.h b/example/ndpi_util.h index f1807e56a..6bed00854 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -47,14 +47,14 @@ // flow tracking typedef struct ndpi_flow_info { u_int32_t hashval; - u_int32_t lower_ip; - u_int32_t upper_ip; - u_int16_t lower_port; - u_int16_t upper_port; + u_int32_t src_ip; + u_int32_t dst_ip; + u_int16_t src_port; + u_int16_t dst_port; u_int8_t detection_completed, protocol, bidirectional; u_int16_t vlan_id; struct ndpi_flow_struct *ndpi_flow; - char lower_name[48], upper_name[48]; + char src_name[48], dst_name[48]; u_int8_t ip_version; u_int64_t last_seen; u_int64_t src2dst_bytes, dst2src_bytes; -- cgit v1.2.3 From 7235c9a73a4da26e98a82dc639a4a1c28653ee2a Mon Sep 17 00:00:00 2001 From: berat Date: Fri, 23 Jun 2017 12:14:31 +0200 Subject: Added -x flag. Produces a bpf filter based on diagnose information generated by -b flag --- example/ndpiReader.c | 282 +++++++++++++++++++++++++++++++++++++++++++++------ example/ndpi_util.h | 4 + 2 files changed, 253 insertions(+), 33 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 4e84bd7fc..09b909c22 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -46,6 +46,10 @@ #include "../config.h" #include "ndpi_api.h" #include "uthash.h" +#include +#include +#include +#include #ifdef HAVE_JSON_C #include @@ -62,6 +66,7 @@ static char *_bpf_filter = NULL; /**< bpf filter */ static char *_protoFilePath = NULL; /**< Protocol file path */ static char *_statsFilePath = NULL; /**< Top stats file path */ #ifdef HAVE_JSON_C +static char *_diagnoseFilePath = NULL; /**< Top stats file path */ static char *_jsonFilePath = NULL; /**< JSON file path */ static FILE *stats_fp = NULL; /**< for Top Stats JSON file */ #endif @@ -73,7 +78,7 @@ static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; /** User preferences **/ static u_int8_t enable_protocol_guess = 1, verbose = 0, nDPI_traceLevel = 0, json_flag = 0; -static u_int8_t stats_flag = 0, file_first_time = 1; +static u_int8_t stats_flag = 0, file_first_time = 1, bpf_filter_flag = 0; static u_int32_t pcap_analysis_duration = (u_int32_t)-1; static u_int16_t decode_tunnels = 0; static u_int16_t num_loops = 1; @@ -203,7 +208,7 @@ static void help(u_int long_help) { printf("ndpiReader -i [-f ][-s ][-m ]\n" " [-p ][-l [-q][-d][-h][-t][-v ]\n" - " [-n ] [-w ] [-j ]\n\n" + " [-n ] [-w ] [-j ] [-x ] \n\n" "Usage:\n" " -i | Specify a pcap file/playlist to read packets from or a\n" " | device for live capture (comma-separated list)\n" @@ -229,7 +234,10 @@ static void help(u_int long_help) { " | 1 = verbose\n" " | 2 = very verbose\n" " | 3 = port stats\n" - " -b | Specify a file to write port based diagnose statistics\n"); + " -b | Specify a file to write port based diagnose statistics\n" + " -x | Produce bpf filters for specified diagnose file. Use\n" + " | this option only for .json files generated with -b flag.\n"); + #ifndef WIN32 printf("\nExcap (wireshark) options:\n" @@ -400,7 +408,7 @@ static void parseOptions(int argc, char **argv) { if(trace) fprintf(trace, " #### %s #### \n", __FUNCTION__); #endif - while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:m:b:", longopts, &option_idx)) != EOF) { + while ((opt = getopt_long(argc, argv, "df:g:i:hp:l:s:tv:V:n:j:rp:w:q0123:456:7:89:m:b:x:", longopts, &option_idx)) != EOF) { #ifdef DEBUG_TRACE if(trace) fprintf(trace, " #### -%c [%s] #### \n", opt, optarg ? optarg : ""); #endif @@ -428,6 +436,15 @@ static void parseOptions(int argc, char **argv) { pcap_analysis_duration = atol(optarg); break; + case 'x': +#ifndef HAVE_JSON_C + printf("WARNING: this copy of ndpiReader has been compiled without JSON-C: json export disabled\n"); +#else + _diagnoseFilePath = optarg; + bpf_filter_flag = 1; +#endif + break; + case 'f': case '6': _bpf_filter = optarg; @@ -535,42 +552,45 @@ static void parseOptions(int argc, char **argv) { } } - if(do_capture) { - quiet_mode = 1; - extcap_capture(); - } + if(!bpf_filter_flag){ + + if(do_capture) { + quiet_mode = 1; + extcap_capture(); + } - // check parameters - if(_pcap_file[0] == NULL || strcmp(_pcap_file[0], "") == 0) { - help(0); - } + // check parameters + if(!bpf_filter_flag && (_pcap_file[0] == NULL || strcmp(_pcap_file[0], "") == 0)) { + help(0); + } - if(strchr(_pcap_file[0], ',')) { /* multiple ingress interfaces */ - num_threads = 0; /* setting number of threads = number of interfaces */ - __pcap_file = strtok(_pcap_file[0], ","); - while (__pcap_file != NULL && num_threads < MAX_NUM_READER_THREADS) { - _pcap_file[num_threads++] = __pcap_file; - __pcap_file = strtok(NULL, ","); + if(strchr(_pcap_file[0], ',')) { /* multiple ingress interfaces */ + num_threads = 0; /* setting number of threads = number of interfaces */ + __pcap_file = strtok(_pcap_file[0], ","); + while (__pcap_file != NULL && num_threads < MAX_NUM_READER_THREADS) { + _pcap_file[num_threads++] = __pcap_file; + __pcap_file = strtok(NULL, ","); + } + } else { + if(num_threads > MAX_NUM_READER_THREADS) num_threads = MAX_NUM_READER_THREADS; + for(thread_id = 1; thread_id < num_threads; thread_id++) + _pcap_file[thread_id] = _pcap_file[0]; } - } else { - if(num_threads > MAX_NUM_READER_THREADS) num_threads = MAX_NUM_READER_THREADS; - for(thread_id = 1; thread_id < num_threads; thread_id++) - _pcap_file[thread_id] = _pcap_file[0]; - } #ifdef linux - for(thread_id = 0; thread_id < num_threads; thread_id++) - core_affinity[thread_id] = -1; - - if(num_cores > 1 && bind_mask != NULL) { - char *core_id = strtok(bind_mask, ":"); - thread_id = 0; - while (core_id != NULL && thread_id < num_threads) { - core_affinity[thread_id++] = atoi(core_id) % num_cores; - core_id = strtok(NULL, ":"); + for(thread_id = 0; thread_id < num_threads; thread_id++) + core_affinity[thread_id] = -1; + + if(num_cores > 1 && bind_mask != NULL) { + char *core_id = strtok(bind_mask, ":"); + thread_id = 0; + while (core_id != NULL && thread_id < num_threads) { + core_affinity[thread_id++] = atoi(core_id) % num_cores; + core_id = strtok(NULL, ":"); + } } - } #endif + } #ifdef DEBUG_TRACE if(trace) fclose(trace); @@ -1354,6 +1374,7 @@ static int info_pair_cmp (const void *_a, const void *_b) { struct info_pair *a = (struct info_pair *)_a; struct info_pair *b = (struct info_pair *)_b; + return b->count - a->count; } @@ -2243,6 +2264,193 @@ void automataUnitTest() { ndpi_free_automa(automa); } +/* *********************************************** */ + +/** + * @brief Produce port based pbf filter for port array + * and saves it in .json format + */ + +void bpf_filter_produce_filter(int port_array[], int size, char *filePath){ + char *prefix = "bpf_filter_"; + char _filterFilePath[1024]; + char *fileName; + FILE *fp = NULL; + char filter[1024]; + char buf[10]; + int produced = 0; + int i = 0; + + printf("producing bpf filter...\n"); + + strcpy(filter, "not (dst port "); + + while(i < size && port_array[i] != INIT_VAL){ + if(i+1 == size || port_array[i+1] == INIT_VAL) + snprintf(buf, sizeof(buf), "%d", port_array[i]); + else + snprintf(buf, sizeof(buf), "%d or ", port_array[i]); + strncat(filter, buf, sizeof(buf)); + i++; + + produced = 1; + } + + strncat(filter, ")", sizeof(")")); + + + fileName = basename(filePath); + snprintf(_filterFilePath, sizeof(_filterFilePath), "%s%s", prefix, fileName); + + if((fp = fopen(_filterFilePath,"w")) == NULL) { + printf("Error creating .json file %s\n", _filterFilePath); + exit(-1); + } + + json_object *jObj_bpfFilter = json_object_new_object(); + if(produced) + json_object_object_add(jObj_bpfFilter, "filter", json_object_new_string(filter)); + else + json_object_object_add(jObj_bpfFilter, "filter", json_object_new_string("")); + + fprintf(fp,"%s\n",json_object_to_json_string(jObj_bpfFilter)); + fclose(fp); + + printf("created: %s\n", _filterFilePath); + +} + +/* *********************************************** */ +/** + * @brief Initialize port array + */ + +void bpf_filter_port_array_init(int array[], int size){ + int i; + for(i=0; i FLOWS_PACKETS_TRESHOLD) && (flows_percent >= FLOWS_PERCENT_TRESHOLD)){ + + if((res = json_object_object_get_ex(src_pkts_stat, "port", &jObj_port)) == 0){ + printf("ERROR: invalid json file. Use -x flag only for .json files generated with -b flag.\n"); + exit(-1); + } + int port = json_object_get_int(jObj_port); + + bpf_filter_port_array_add(filterPorts, PORT_ARRAY_SIZE, port); + } + } + } + + json_object_put(jObj); /* free memory */ + + bpf_filter_produce_filter(filterPorts, PORT_ARRAY_SIZE, filePath); + +} +#endif + + +/* *********************************************** */ + + /** @brief MAIN FUNCTION **/ @@ -2256,6 +2464,14 @@ int main(int argc, char **argv) { parseOptions(argc, argv); + if(bpf_filter_flag){ +#ifdef HAVE_JSON_C + produceBpfFilters(_diagnoseFilePath); + return 0; +#endif + } + + if((!json_flag) && (!quiet_mode)) { printf("\n-----------------------------------------------------------\n" "* NOTE: This is demo app to show *some* nDPI features.\n" diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 6bed00854..0a465a3c0 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -43,6 +43,10 @@ #define AGGRESSIVE_PERCENT 95.00 #define DIR_SRC 10 #define DIR_DST 20 +#define PORT_ARRAY_SIZE 20 +#define FLOWS_PACKETS_TRESHOLD 0.9 +#define FLOWS_PERCENT_TRESHOLD 1.0 +#define INIT_VAL -1 // flow tracking typedef struct ndpi_flow_info { -- cgit v1.2.3 From e857c5fb41b8bbfbc61efcba1b787eeaa87dc089 Mon Sep 17 00:00:00 2001 From: berat Date: Fri, 30 Jun 2017 09:52:26 +0200 Subject: extended bpf filter produced by -x flag to include hosts --- example/ndpiReader.c | 323 ++++++++++++++++++++++++++++++++++++++++----------- example/ndpi_util.h | 1 + 2 files changed, 255 insertions(+), 69 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 8d8ad85fe..4f54e4793 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1309,7 +1309,10 @@ static void json_open_stats_file() { } static void json_close_stats_file() { - fprintf(stats_fp,"%s\n",json_object_to_json_string(jArray_topStats)); + json_object *jObjFinal = json_object_new_object(); + json_object_object_add(jObjFinal,"duration.in.seconds",json_object_new_int(pcap_analysis_duration)); + json_object_object_add(jObjFinal,"statistics", jArray_topStats); + fprintf(stats_fp,"%s\n",json_object_to_json_string(jObjFinal)); fclose(stats_fp); } #endif @@ -1538,6 +1541,7 @@ static void saveTopStats(json_object **jObj_group, json_object_object_add(jObj_stat,"port",json_object_new_int(s->port)); json_object_object_add(jObj_stat,"ip.total",json_object_new_int64(s->num_addr)); json_object_object_add(jObj_stat,"ip.percent",json_object_new_double((s->num_addr*100.0)/total_ip_addr)); + json_object_object_add(jObj_stat,"flows.number",json_object_new_double(s->num_flows)); json_object_array_add(jArray_stats,jObj_stat); i++; @@ -1850,9 +1854,6 @@ static void printResults(u_int64_t tot_usec) { if(stats_flag) { #ifdef HAVE_JSON_C - u_int64_t total_src_addr = getTopStats(&topSrcStats, srcStats); - u_int64_t total_dst_addr = getTopStats(&topDstStats, dstStats); - json_object *jObj_stats = json_object_new_object(); char timestamp[64]; @@ -1860,6 +1861,9 @@ static void printResults(u_int64_t tot_usec) { json_object_object_add(jObj_stats, "time", json_object_new_string(timestamp)); saveScannerStats(&jObj_stats, scannerHosts); + + u_int64_t total_src_addr = getTopStats(&topSrcStats, srcStats); + u_int64_t total_dst_addr = getTopStats(&topDstStats, dstStats); saveTopStats(&jObj_stats, topSrcStats, DIR_SRC, cumulative_stats.ndpi_flow_count, total_src_addr); saveTopStats(&jObj_stats, topDstStats, DIR_DST, cumulative_stats.ndpi_flow_count, total_dst_addr); @@ -2267,36 +2271,63 @@ void automataUnitTest() { /* *********************************************** */ /** - * @brief Produce port based pbf filter for port array - * and saves it in .json format + * @brief Produce bpf filter to filter ports and hosts, + * save it in .json format */ #ifdef HAVE_JSON_C -void bpf_filter_produce_filter(int port_array[], int size, char *filePath){ +void bpf_filter_produce_filter(int port_array[], int p_size, const char *host_array[48], int h_size, char *filePath){ + FILE *fp = NULL; char *prefix = "bpf_filter_"; char _filterFilePath[1024]; char *fileName; - FILE *fp = NULL; - char filter[1024]; - char buf[10]; + char filter[2048]; + char portBuf[10]; + char hostBuf[64]; int produced = 0; int i = 0; printf("producing bpf filter...\n"); - strcpy(filter, "not (dst port "); - while(i < size && port_array[i] != INIT_VAL){ - if(i+1 == size || port_array[i+1] == INIT_VAL) - snprintf(buf, sizeof(buf), "%d", port_array[i]); - else - snprintf(buf, sizeof(buf), "%d or ", port_array[i]); - strncat(filter, buf, sizeof(buf)); - i++; + if(port_array[0] != INIT_VAL){ + + strcpy(filter, "not (src port "); + while(i < p_size && port_array[i] != INIT_VAL){ + if(i+1 == p_size || port_array[i+1] == INIT_VAL) + snprintf(portBuf, sizeof(portBuf), "%d", port_array[i]); + else + snprintf(portBuf, sizeof(portBuf), "%d or ", port_array[i]); + strncat(filter, portBuf, sizeof(portBuf)); + i++; + } + + strncat(filter, ")", sizeof(")")); produced = 1; } - strncat(filter, ")", sizeof(")")); + + if(host_array[0] != NULL){ + + if(port_array[0] != INIT_VAL) + strncat(filter, " and not (host ", sizeof(" and not (host ")); + else + strcpy(filter, "not (host "); + + i=0; + + while(i < h_size && host_array[i] != NULL){ + if(i+1 == h_size || host_array[i+1] == NULL) + snprintf(hostBuf, sizeof(hostBuf), "%s", host_array[i]); + else + snprintf(hostBuf, sizeof(hostBuf), "%s or ", host_array[i]); + strncat(filter, hostBuf, sizeof(hostBuf)); + i++; + } + + strncat(filter, ")", sizeof(")")); + produced = 1; + } fileName = basename(filePath); @@ -2307,19 +2338,22 @@ void bpf_filter_produce_filter(int port_array[], int size, char *filePath){ exit(-1); } + json_object *jObj_bpfFilter = json_object_new_object(); + if(produced) - json_object_object_add(jObj_bpfFilter, "filter", json_object_new_string(filter)); + json_object_object_add(jObj_bpfFilter, "filter", json_object_new_string(filter)); else json_object_object_add(jObj_bpfFilter, "filter", json_object_new_string("")); fprintf(fp,"%s\n",json_object_to_json_string(jObj_bpfFilter)); fclose(fp); - printf("created: %s\n", _filterFilePath); + printf("created: %s\n", _filterFilePath); } #endif + /* *********************************************** */ /** * @brief Initialize port array @@ -2333,7 +2367,41 @@ void bpf_filter_port_array_init(int array[], int size){ /* *********************************************** */ /** - * @brief Add port to port array + * @brief Initialize host array + */ + +void bpf_filter_host_array_init(const char *array[48], int size){ + int i; + for(i=0; i treshold) + * and have (#flows > %1 of total flows) to the srcPortArray + * to filter + */ +#ifdef HAVE_JSON_C +void getPacketBasedSourcePortsToFilter(struct json_object *jObj_stat, int srcPortArray[], int size){ + int j; + + for(j=0; j FLOWS_PACKETS_TRESHOLD) && (flows_percent >= FLOWS_PERCENT_TRESHOLD)){ + if((res = json_object_object_get_ex(src_pkts_stat, "port", &jObj_port)) == 0){ + fprintf(stderr, "ERROR: can't get \"port\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); + } + int port = json_object_get_int(jObj_port); + + bpf_filter_port_array_add(srcPortArray, size, port); + } + } +} +#endif + +/* *********************************************** */ + +/* + * @brief add scanner hosts which have more than 1000 + * flows per second to the srcHostArray to filter + */ +#ifdef HAVE_JSON_C +void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, const char *srcHostArray[48], int size){ + int j; + + for(j=0; j 1000){ + if((res = json_object_object_get_ex(scanner_stat, "ip.address", &jObj_host_address)) == 0){ + fprintf(stderr, "ERROR: can't get \"ip.address\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); + } + const char *host_address = json_object_get_string(jObj_host_address); + + bpf_filter_host_array_add(srcHostArray, size, host_address); + + } + } +} +#endif + +/* *********************************************** */ + +/* + * @brief add ports which have more than 1000 flows per + * second to the srcHostArray to filter + */ #ifdef HAVE_JSON_C -static void produceBpfFilters(char *filePath){ +void getHostBasedSourcePortsToFilter(struct json_object *jObj_stat, int duration, int srcPortArray[], int size){ + int j; + + for(j=0; j 1000){ + if((res = json_object_object_get_ex(src_pkts_stat, "port", &jObj_port)) == 0){ + fprintf(stderr, "ERROR: can't get \"port\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); + } + int port = json_object_get_int(jObj_port); + + bpf_filter_port_array_add(srcPortArray, size, port); + } + } +} +#endif + +/* *********************************************** */ + +#ifdef HAVE_JSON_C +static void produceBpfFilter(char *filePath){ int fsock; struct stat statbuf; void *fmap; - struct json_object *jObj; /* entire json object from file */ - int filterPorts[PORT_ARRAY_SIZE]; /* ports to filter */ + int filterSrcPorts[PORT_ARRAY_SIZE]; /* ports to filter */ + const char *filterSrcHosts[48]; /* hosts to filter */ + json_object *jObj; /* entire json object from file */ + json_object *jObj_duration; + json_object *jObj_statistics; /* json array */ + json_bool res; + int duration; + int typeCheck; int array_len; - int typeCheck; /* jObj should be a json array */ int i; @@ -2381,69 +2572,63 @@ static void produceBpfFilters(char *filePath){ } if((jObj = json_tokener_parse(fmap)) == NULL){ - printf("ERROR: invalid json file. Use -x flag only with .json files generated by ndpiReader -b flag.\n"); + fprintf(stderr,"ERROR: invalid json file. Use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } - if((typeCheck = json_object_is_type(jObj, json_type_array)) == 0){ - printf("ERROR: invalid json file. Use -x flag only with .json files generated by ndpiReader -b flag.\n"); + + if((res = json_object_object_get_ex(jObj, "duration.in.seconds", &jObj_duration)) == 0){ + fprintf(stderr,"ERROR: can't get \"duration.in.seconds\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } + duration = json_object_get_int(jObj_duration); + + + if((res = json_object_object_get_ex(jObj, "statistics", &jObj_statistics)) == 0){ + fprintf(stderr,"ERROR: can't get \"statistics\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); + } + + if((typeCheck = json_object_is_type(jObj_statistics, json_type_array)) == 0){ + fprintf(stderr,"ERROR: invalid json file. Use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); + } + array_len = json_object_array_length(jObj_statistics); + + bpf_filter_port_array_init(filterSrcPorts, PORT_ARRAY_SIZE); + bpf_filter_host_array_init(filterSrcHosts, HOST_ARRAY_SIZE); - bpf_filter_port_array_init(filterPorts, PORT_ARRAY_SIZE); - array_len = json_object_array_length(jObj); for(i=0; i FLOWS_PACKETS_TRESHOLD) && (flows_percent >= FLOWS_PERCENT_TRESHOLD)){ - if((res = json_object_object_get_ex(src_pkts_stat, "port", &jObj_port)) == 0){ - printf("ERROR: invalid json file. Use -x flag only for .json files generated with -b flag.\n"); - exit(-1); - } - int port = json_object_get_int(jObj_port); - - bpf_filter_port_array_add(filterPorts, PORT_ARRAY_SIZE, port); - } + if((res = json_object_object_get_ex(stats, "top.src.ip.stats", &val)) == 0){ + fprintf(stderr,"ERROR: can't get \"top.src.ip.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + exit(-1); } + getHostBasedSourcePortsToFilter(val, duration, filterSrcPorts, PORT_ARRAY_SIZE); + } + bpf_filter_produce_filter(filterSrcPorts, PORT_ARRAY_SIZE, filterSrcHosts, HOST_ARRAY_SIZE, filePath); + json_object_put(jObj); /* free memory */ - - bpf_filter_produce_filter(filterPorts, PORT_ARRAY_SIZE, filePath); - } #endif @@ -2466,7 +2651,7 @@ int main(int argc, char **argv) { if(bpf_filter_flag){ #ifdef HAVE_JSON_C - produceBpfFilters(_diagnoseFilePath); + produceBpfFilter(_diagnoseFilePath); return 0; #endif } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 0a465a3c0..f6d315748 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -44,6 +44,7 @@ #define DIR_SRC 10 #define DIR_DST 20 #define PORT_ARRAY_SIZE 20 +#define HOST_ARRAY_SIZE 20 #define FLOWS_PACKETS_TRESHOLD 0.9 #define FLOWS_PERCENT_TRESHOLD 1.0 #define INIT_VAL -1 -- cgit v1.2.3 From 6e85b9344298dbba49d06951360c5e3c464d92ba Mon Sep 17 00:00:00 2001 From: Micah Lyle Date: Mon, 17 Jul 2017 18:06:07 -0700 Subject: Implementation for extra packet processing if desired --- example/ndpi_util.c | 40 ++++++++++++--- example/ndpi_util.h | 5 +- src/include/ndpi_api.h | 121 ++++++++++++++++++++++++++------------------ src/include/ndpi_typedefs.h | 6 ++- src/lib/ndpi_main.c | 54 ++++++++++++++++++-- src/lib/protocols/ssl.c | 63 ++++++++++++++++------- 6 files changed, 207 insertions(+), 82 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpi_util.c b/example/ndpi_util.c index 75bab6319..b0955d8d4 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -158,10 +158,10 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { if(fa->hashval < fb->hashval) return(-1); else if(fa->hashval > fb->hashval) return(1); /* Flows have the same hash */ - + if(fa->vlan_id < fb->vlan_id ) return(-1); else { if(fa->vlan_id > fb->vlan_id ) return(1); } if(fa->protocol < fb->protocol ) return(-1); else { if(fa->protocol > fb->protocol ) return(1); } - + if( ( (fa->src_ip == fb->src_ip ) @@ -178,12 +178,12 @@ int ndpi_workflow_node_cmp(const void *a, const void *b) { ) ) return(0); - + if(fa->src_ip < fb->src_ip ) return(-1); else { if(fa->src_ip > fb->src_ip ) return(1); } if(fa->src_port < fb->src_port) return(-1); else { if(fa->src_port > fb->src_port) return(1); } if(fa->dst_ip < fb->dst_ip ) return(-1); else { if(fa->dst_ip > fb->dst_ip ) return(1); } if(fa->dst_port < fb->dst_port) return(-1); else { if(fa->dst_port > fb->dst_port) return(1); } - + return(0); /* notreached */ } @@ -453,7 +453,7 @@ void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_fl } } - if(flow->detection_completed) { + if(flow->detection_completed && !flow->check_extra_packets) { if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { if (workflow->__flow_giveup_callback != NULL) workflow->__flow_giveup_callback(workflow, flow, workflow->__flow_giveup_udata); @@ -516,7 +516,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, flow->src2dst_packets++, flow->src2dst_bytes += rawsize; else flow->dst2src_packets++, flow->dst2src_bytes += rawsize; - + flow->last_seen = time; } else { // flow is NULL workflow->stats.total_discarded_bytes++; @@ -524,7 +524,28 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, } /* Protocol already detected */ - if(flow->detection_completed) return(flow->detected_protocol); + if(flow->detection_completed) { + if(flow->check_extra_packets && ndpi_flow != NULL && ndpi_flow->check_extra_packets) { + if(ndpi_flow->num_extra_packets_checked == 0 && ndpi_flow->max_extra_packets_to_check == 0) { + /* Protocols can set this, but we set it here in case they didn't */ + ndpi_flow->max_extra_packets_to_check = MAX_EXTRA_PACKETS_TO_CHECK; + } + if(ndpi_flow->num_extra_packets_checked < ndpi_flow->max_extra_packets_to_check) { + ndpi_process_extra_packet(workflow->ndpi_struct, ndpi_flow, + iph ? (uint8_t *)iph : (uint8_t *)iph6, + ipsize, time, src, dst); + if (ndpi_flow->check_extra_packets == 0) { + flow->check_extra_packets = 0; + ndpi_free_flow_info_half(flow); + } + } + } else if (ndpi_flow != NULL) { + /* If this wasn't NULL we should do the half free */ + /* TODO: When half_free is deprecated, get rid of this */ + ndpi_free_flow_info_half(flow); + } + return(flow->detected_protocol); + } flow->detected_protocol = ndpi_detection_process_packet(workflow->ndpi_struct, ndpi_flow, iph ? (uint8_t *)iph : (uint8_t *)iph6, @@ -535,12 +556,15 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, || ((proto == IPPROTO_TCP) && ((flow->src2dst_packets + flow->dst2src_packets) > 10))) { /* New protocol detected or give up */ flow->detection_completed = 1; + /* Check if we should keep checking extra packets */ + if (ndpi_flow->check_extra_packets) + flow->check_extra_packets = 1; if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) flow->detected_protocol = ndpi_detection_giveup(workflow->ndpi_struct, flow->ndpi_flow); process_ndpi_collected_info(workflow, flow); - } + } return(flow->detected_protocol); } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index f6d315748..45101cf10 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -36,6 +36,7 @@ #define MAX_IDLE_TIME 30000 #define IDLE_SCAN_BUDGET 1024 #define NUM_ROOTS 512 +#define MAX_EXTRA_PACKETS_TO_CHECK 7 #define MAX_NDPI_FLOWS 200000000 #define TICK_RESOLUTION 1000 #define MAX_NUM_IP_ADDRESS 5 /* len of ip address array */ @@ -56,7 +57,7 @@ typedef struct ndpi_flow_info { u_int32_t dst_ip; u_int16_t src_port; u_int16_t dst_port; - u_int8_t detection_completed, protocol, bidirectional; + u_int8_t detection_completed, protocol, bidirectional, check_extra_packets; u_int16_t vlan_id; struct ndpi_flow_struct *ndpi_flow; char src_name[48], dst_name[48]; @@ -64,7 +65,7 @@ typedef struct ndpi_flow_info { u_int64_t last_seen; u_int64_t src2dst_bytes, dst2src_bytes; u_int32_t src2dst_packets, dst2src_packets; - + // result only, not used for flow identification ndpi_protocol detected_protocol; diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index b2c6b6952..03a73d66b 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -42,20 +42,20 @@ extern "C" { #define SAVE_DETECTION_BITMASK_AS_UNKNOWN 1 #define NO_SAVE_DETECTION_BITMASK_AS_UNKNOWN 0 - + /** * Check if a string is encoded with punycode * ( https://tools.ietf.org/html/rfc3492 ) * * @par buff = pointer to the string to ckeck * @par len = len of the string - * @return 1 if the string is punycoded; + * @return 1 if the string is punycoded; * else 0 * */ int check_punycode_string(char * buff , int len); - + /** * Get the size of the flow struct * @@ -64,16 +64,16 @@ extern "C" { */ u_int32_t ndpi_detection_get_sizeof_ndpi_flow_struct(void); - + /** - * Get the size of the id struct + * Get the size of the id struct * * @return the size of the id struct - * + * */ u_int32_t ndpi_detection_get_sizeof_ndpi_id_struct(void); - + /** * nDPI personal allocation and free functions **/ @@ -98,7 +98,7 @@ extern "C" { */ char* ndpi_strnstr(const char *s, const char *find, size_t slen); - + /** * Returns the nDPI protocol id for IP-based protocol detection * @@ -106,7 +106,7 @@ extern "C" { * @par pin = IP host address (MUST BE in network byte order): * See man(7) ip for details * @return the nDPI protocol ID - * + * */ u_int16_t ndpi_network_ptree_match(struct ndpi_detection_module_struct *ndpi_struct, struct in_addr *pin); @@ -117,9 +117,9 @@ extern "C" { * @par ndpi_mod = the struct created for the protocol detection * @par match = the struct passed to match the protocol * - */ + */ void ndpi_init_protocol_match(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol_match *match); - + /** * Returns a new initialized detection module * @@ -127,7 +127,7 @@ extern "C" { * */ struct ndpi_detection_module_struct *ndpi_init_detection_module(void); - + /** * Frees the memory allocated in the specified flow * @@ -136,7 +136,7 @@ extern "C" { */ void ndpi_free_flow(struct ndpi_flow_struct *flow); - + /** * Enables cache support. * In nDPI is used for some protocol (i.e. Skype) @@ -148,7 +148,7 @@ extern "C" { */ void ndpi_enable_cache(struct ndpi_detection_module_struct *ndpi_mod, char* host, u_int port); - + /** * Destroys the detection module * @@ -180,7 +180,7 @@ extern "C" { const NDPI_SELECTION_BITMASK_PROTOCOL_SIZE ndpi_selection_bitmask, u_int8_t b_save_bitmask_unknow, u_int8_t b_add_detection_bitmask); - + /** * Sets the protocol bitmask2 @@ -192,7 +192,7 @@ extern "C" { void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *ndpi_struct, const NDPI_PROTOCOL_BITMASK * detection_bitmask); - + /** * Function to be called before we give up with detection for a given flow. * This function reduces the NDPI_UNKNOWN_PROTOCOL detection @@ -200,12 +200,35 @@ extern "C" { * @par ndpi_struct = the detection module * @par flow = the flow given for the detection module * @return the detected protocol even if the flow is not completed; - * + * */ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /** + * Processes an extra packet in order to get more information for a given protocol + * (like SSL getting both client and server certificate even if we already know after + * seeing the client certificate what the protocol is) + * + * @par ndpi_struct = the detection module + * @par flow = pointer to the connection state machine + * @par packet = unsigned char pointer to the Layer 3 (IP header) + * @par packetlen = the length of the packet + * @par current_tick = the current timestamp for the packet + * @par src = pointer to the source subscriber state machine + * @par dst = pointer to the destination subscriber state machine + * @return void + * + */ + void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const unsigned char *packet, + const unsigned short packetlen, + const u_int64_t current_tick, + struct ndpi_id_struct *src, + struct ndpi_id_struct *dst); + + /** * Processes one packet and returns the ID of the detected protocol. * This is the MAIN PACKET PROCESSING FUNCTION. @@ -228,7 +251,7 @@ extern "C" { struct ndpi_id_struct *src, struct ndpi_id_struct *dst); - + /** * Get the main protocol of the passed flows for the detected module * @@ -241,13 +264,13 @@ extern "C" { u_int16_t ndpi_get_flow_masterprotocol(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow); - + /** * Query the pointer to the layer 4 packet * * @par l3 = pointer to the layer 3 data * @par l3_len = length of the layer 3 data - * @par l4_return = address to the pointer of the layer 4 data if return value == 0, else undefined + * @par l4_return = address to the pointer of the layer 4 data if return value == 0, else undefined * @par l4_len_return = length of the layer 4 data if return value == 0, else undefined * @par l4_protocol_return = protocol of the layer 4 data if return value == 0, undefined otherwise * @par flags = limit operation on ipv4 or ipv6 packets. Possible values: NDPI_DETECTION_ONLY_IPV4 - NDPI_DETECTION_ONLY_IPV6 - 0 (any) @@ -261,13 +284,13 @@ extern "C" { /** * Search and return the protocol based on matched ports - * + * * @par ndpi_struct = the detection module * @par shost = source address in host byte order * @par sport = source port number * @par dhost = destination address in host byte order * @par dport = destination port number - * @return the struct ndpi_protocol that match the port base protocol + * @return the struct ndpi_protocol that match the port base protocol * */ ndpi_protocol ndpi_find_port_based_protocol(struct ndpi_detection_module_struct *ndpi_struct/* , u_int8_t proto */, @@ -276,17 +299,17 @@ extern "C" { u_int32_t dhost, u_int16_t dport); - + /** * Search and return the protocol guessed that is undetected - * + * * @par ndpi_struct = the detection module * @par proto = the l4 protocol number * @par shost = source address in host byte order * @par sport = source port number * @par dhost = destination address in host byte order * @par dport = destination port number - * @return the struct ndpi_protocol that match the port base protocol + * @return the struct ndpi_protocol that match the port base protocol * */ ndpi_protocol ndpi_guess_undetected_protocol(struct ndpi_detection_module_struct *ndpi_struct, @@ -299,7 +322,7 @@ extern "C" { /** * Check if the string passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par string_to_match = the string to match * @par string_to_match_len = the length of the string @@ -315,7 +338,7 @@ extern "C" { /** * Check if the host passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par flow = the flow where match the host * @par string_to_match = the string to match @@ -333,7 +356,7 @@ extern "C" { /** * Check if the string content passed match with a protocol - * + * * @par ndpi_struct = the detection module * @par flow = the flow where match the host * @par string_to_match = the string to match @@ -348,7 +371,7 @@ extern "C" { u_int string_to_match_len, u_int16_t master_protocol_id); - + /** * Check if the string -bigram_to_match- match with a bigram of -automa- * @@ -358,11 +381,11 @@ extern "C" { * @return 0 * */ - int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_struct, + int ndpi_match_bigram(struct ndpi_detection_module_struct *ndpi_struct, ndpi_automa *automa, char *bigram_to_match); - + /** * Write the protocol name in the buffer -buf- as master_protocol.protocol * @@ -392,7 +415,7 @@ extern "C" { * @return the protocol category */ ndpi_protocol_category_t ndpi_get_proto_category(struct ndpi_detection_module_struct *ndpi_mod, ndpi_protocol proto); - + /** * Get the protocol name associated to the ID * @@ -414,13 +437,13 @@ extern "C" { */ ndpi_protocol_breed_t ndpi_get_proto_breed(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t proto); - + /** * Return the string name of the protocol breed * * @par ndpi_struct = the detection module * @par breed_id = the breed ID associated to the protocol - * @return the string name of the breed ID + * @return the string name of the breed ID * */ char* ndpi_get_proto_breed_name(struct ndpi_detection_module_struct *ndpi_struct, ndpi_protocol_breed_t breed_id); @@ -431,7 +454,7 @@ extern "C" { * * @par ndpi_mod = the detection module * @par proto = the ID of the protocol - * @return the string name of the breed ID + * @return the string name of the breed ID * */ int ndpi_get_protocol_id(struct ndpi_detection_module_struct *ndpi_mod, char *proto); @@ -443,7 +466,7 @@ extern "C" { * @par ndpi_mod = the detection module */ void ndpi_dump_protocols(struct ndpi_detection_module_struct *mod); - + /** * Read a file and load the protocols @@ -467,12 +490,12 @@ extern "C" { * Get the total number of the supported protocols * * @par ndpi_mod = the detection module - * @return the number of protocols + * @return the number of protocols * */ u_int ndpi_get_num_supported_protocols(struct ndpi_detection_module_struct *ndpi_mod); - + /** * Get the nDPI version release * @@ -503,7 +526,7 @@ extern "C" { */ ndpi_http_method ndpi_get_http_method(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow); - + /** * Get the HTTP url * @@ -526,7 +549,7 @@ extern "C" { char* ndpi_get_http_content_type(struct ndpi_detection_module_struct *ndpi_mod, struct ndpi_flow_struct *flow); #endif - + #ifdef NDPI_PROTOCOL_TOR /** * Check if the flow could be detected as TOR protocol @@ -536,7 +559,7 @@ extern "C" { * @par certificate = the ssl certificate * @return 1 if the flow is TOR; * 0 else - * + * */ int ndpi_is_ssl_tor(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, char *certificate); @@ -547,7 +570,7 @@ extern "C" { * Init Aho-Corasick automata * * @return The requested automata, or NULL if an error occurred - * + * */ void* ndpi_init_automa(void); @@ -556,7 +579,7 @@ extern "C" { * Free Aho-Corasick automata allocated with ndpi_init_automa(); * * @par The automata initialized with ndpi_init_automa(); - * + * */ void ndpi_free_automa(void *_automa); @@ -568,7 +591,7 @@ extern "C" { * @par The (sub)string to search * @par The number associated with this string * @return 0 in case of no error, or -1 if an error occurred. - * + * */ int ndpi_add_string_value_to_automa(void *_automa, char *str, unsigned long num); @@ -579,7 +602,7 @@ extern "C" { * @par The automata initialized with ndpi_init_automa(); * @par The (sub)string to search * @return 0 in case of no error, or -1 if an error occurred. - * + * */ int ndpi_add_string_to_automa(void *_automa, char *str); @@ -588,7 +611,7 @@ extern "C" { * Finalize the automa (necessary before start searching) * * @par The automata initialized with ndpi_init_automa(); - * + * */ void ndpi_finalize_automa(void *_automa); @@ -599,7 +622,7 @@ extern "C" { * @par The automata initialized with ndpi_init_automa(); * @par The (sub)string to search * @return 0 in case of match, or -1 if no match, or -2 if an error occurred. - * + * */ int ndpi_match_string(void *_automa, char *string_to_match); @@ -611,7 +634,7 @@ extern "C" { * @par The (sub)string to search * @par The id associated with the matched string or 0 id not found. * @return 0 in case of match, or -1 if no match, or -2 if an error occurred. - * + * */ int ndpi_match_string_id(void *_automa, char *string_to_match, unsigned long *id); diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index c10101d42..dd7bb89d9 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -912,7 +912,7 @@ struct ndpi_flow_struct { /* init parameter, internal used to set up timestamp,... */ u_int16_t guessed_protocol_id, guessed_host_protocol_id; - u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1; + u_int8_t protocol_id_already_guessed:1, host_already_guessed:1, init_finished:1, setup_packet_direction:1, packet_direction:1, check_extra_packets:1; /* if ndpi_struct->direction_detect_disable == 1 @@ -920,6 +920,10 @@ struct ndpi_flow_struct { */ u_int32_t next_tcp_seq_nr[2]; + u_int8_t max_extra_packets_to_check; + u_int8_t num_extra_packets_checked; + int (*extra_packets_func) (struct ndpi_detection_module_struct *, struct ndpi_flow_struct *flow); + /* the tcp / udp / other l4 value union used to reduce the number of bytes for tcp or udp protocol states diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index a2f957ce9..de8c0cb7b 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -1631,7 +1631,7 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp no_master, "FIX", NDPI_PROTOCOL_CATEGORY_RPC, ndpi_build_default_ports(ports_a, 0, 0, 0, 0, 0) /* TCP */, ndpi_build_default_ports(ports_b, 0, 0, 0, 0, 0) /* UDP */); - + /* calling function for host and content matched protocols */ init_string_based_protocols(ndpi_mod); @@ -1650,7 +1650,7 @@ static int ac_match_handler(AC_MATCH_t *m, void *param) { /* Return 1 for stopping to the first match. We might consider searching for the more - specific match, paying more cpu cycles. + specific match, paying more cpu cycles. */ *matching_protocol_id = m->patterns[0].rep.number; @@ -3439,6 +3439,50 @@ ndpi_protocol ndpi_detection_giveup(struct ndpi_detection_module_struct *ndpi_st /* ********************************************************************************* */ +void ndpi_process_extra_packet(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + const unsigned char *packet, + const unsigned short packetlen, + const u_int64_t current_tick_l, + struct ndpi_id_struct *src, + struct ndpi_id_struct *dst) +{ + if(flow == NULL) + return; + + if(flow->server_id == NULL) flow->server_id = dst; /* Default */ + + /* need at least 20 bytes for ip header */ + if(packetlen < 20) { + return; + } + + flow->packet.tick_timestamp_l = current_tick_l; + flow->packet.tick_timestamp = (u_int32_t)current_tick_l/1000; + + /* parse packet */ + flow->packet.iph = (struct ndpi_iphdr *)packet; + /* we are interested in ipv4 packet */ + + /* set up the packet headers for the extra packet function to use if it wants */ + if(ndpi_init_packet_header(ndpi_struct, flow, packetlen) != 0) + return; + + /* detect traffic for tcp or udp only */ + flow->src = src, flow->dst = dst; + ndpi_connection_tracking(ndpi_struct, flow); + + /* call the extra packet function (which may add more data/info to flow) */ + if (flow->extra_packets_func) { + if ((flow->extra_packets_func(ndpi_struct, flow)) == 0) + flow->check_extra_packets = 0; + } + + flow->num_extra_packets_checked++; +} + +/* ********************************************************************************* */ + ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const unsigned char *packet, @@ -4635,7 +4679,7 @@ int ndpi_match_prefix(const u_int8_t *payload, size_t payload_len, const char *str, size_t str_len) { int rc = str_len <= payload_len ? memcmp(payload, str, str_len) == 0 : 0; - + return rc; } @@ -4648,7 +4692,7 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru AC_TEXT_t ac_input_text; ndpi_automa *automa = is_host_match ? &ndpi_struct->host_automa : &ndpi_struct->content_automa; int rc; - + if((automa->ac_automa == NULL) || (string_to_match_len == 0)) return(NDPI_PROTOCOL_UNKNOWN); if(!automa->ac_automa_finalized) { @@ -4658,7 +4702,7 @@ int ndpi_match_string_subprotocol(struct ndpi_detection_module_struct *ndpi_stru ac_input_text.astring = string_to_match, ac_input_text.length = string_to_match_len; ac_automata_search(((AC_AUTOMATA_t*)automa->ac_automa), &ac_input_text, (void*)&matching_protocol_id); - + ac_automata_reset(((AC_AUTOMATA_t*)automa->ac_automa)); return(matching_protocol_id); diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index d6e1ffd7e..5afca5389 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -306,6 +306,46 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, return(0); /* Not found */ } +int sslTryAndRetrieveServerCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { + struct ndpi_packet_struct *packet = &flow->packet; + + /* consider only specific SSL packets (handshake) */ + if((packet->payload_packet_len > 9) && (packet->payload[0] == 0x16)) { + char certificate[64]; + int rc; + certificate[0] = '\0'; + rc = getSSLcertificate(ndpi_struct, flow, certificate, sizeof(certificate)); + packet->ssl_certificate_num_checks++; + if (rc > 0) { + packet->ssl_certificate_detected++; + if (flow->protos.ssl.server_certificate[0] != '\0') + /* 0 means we're done processing extra packets (since we found what we wanted) */ + return 0; + } + /* Client hello, Server Hello, and certificate packets probably all checked in this case */ + if ((packet->ssl_certificate_num_checks >= 3) + && (flow->l4.tcp.seen_syn) + && (flow->l4.tcp.seen_syn_ack) + && (flow->l4.tcp.seen_ack) /* We have seen the 3-way handshake */) + { + /* We're done processing extra packets since we've probably checked all possible cert packets */ + return 0; + } + } + /* 1 means keep looking for more packets */ + return 1; +} + +void sslInitExtraPacketProcessing(int caseNum, struct ndpi_flow_struct *flow) { + flow->check_extra_packets = 1; + /* 0 is the case for waiting for the server certificate */ + if (caseNum == 0) { + /* At most 7 packets should almost always be enough to find the server certificate if it's there */ + flow->max_extra_packets_to_check = 7; + flow->extra_packets_func = sslTryAndRetrieveServerCertificate; + } +} + int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -325,14 +365,15 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s #ifdef CERTIFICATE_DEBUG printf("***** [SSL] %s\n", certificate); #endif - /* If we've detected the subprotocol from client certificate but haven't had a chance - * to see the server certificate yet, wait a few more packets */ - if((flow->protos.ssl.client_certificate[0] != '\0') && (flow->protos.ssl.server_certificate[0] == '\0')) { - return (rc); - } u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, strlen(certificate), NDPI_PROTOCOL_SSL); if(subproto != NDPI_PROTOCOL_UNKNOWN) { + /* If we've detected the subprotocol from client certificate but haven't had a chance + * to see the server certificate yet, set up extra packet processing to wait + * a few more packets. */ + if((flow->protos.ssl.client_certificate[0] != '\0') && (flow->protos.ssl.server_certificate[0] == '\0')) { + sslInitExtraPacketProcessing(0, flow); + } ndpi_set_detected_protocol(ndpi_struct, flow, subproto, ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); return(rc); /* Fix courtesy of Gianluca Costa */ @@ -350,18 +391,6 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s || (flow->protos.ssl.server_certificate[0] != '\0') /* || (flow->protos.ssl.client_certificate[0] != '\0') */ ) { - if (flow->protos.ssl.client_certificate[0] != '\0') { - u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, flow->protos.ssl.client_certificate, - strlen(flow->protos.ssl.client_certificate), NDPI_PROTOCOL_SSL); - if (subproto != NDPI_PROTOCOL_UNKNOWN) { - /* We would've only made it here if at some point we went into the if clause above where we wait a - * few packets if we have a subprotocol client cert match but hadn't seen a server cert at that point. */ - ndpi_set_detected_protocol(ndpi_struct, flow, subproto, - ndpi_ssl_refine_master_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSL)); - return(2); /* Returning 2 is because we had a client certificate match - * (since we use what would've been the return code from getSSLCertificate) */ - } - } ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } } -- cgit v1.2.3 From 3ba3a08141f0c60ab8e970e744ecf7540319b093 Mon Sep 17 00:00:00 2001 From: Luca Date: Wed, 2 Aug 2017 20:15:21 +0200 Subject: Implemented flow sort based on total bytes so that we can (with -v X) immediately spot elephants and mice --- example/ndpiReader.c | 65 ++- example/ndpi_util.c | 5 +- example/ndpi_util.h | 1 + tests/result/1kxun.pcap.out | 244 +++++----- tests/result/6in4tunnel.pcap.out | 18 +- tests/result/EAQ.pcap.out | 56 +-- tests/result/Instagram.pcap.out | 56 +-- tests/result/KakaoTalk_chat.pcap.out | 72 +-- tests/result/KakaoTalk_talk.pcap.out | 36 +- tests/result/Viber_session.pcap.out | 68 +-- tests/result/bittorrent.pcap.out | 46 +- tests/result/bittorrent_ip.pcap.out | 4 +- tests/result/coap_mqtt.pcap.out | 32 +- tests/result/dnscrypt.pcap.out | 8 +- tests/result/dropbox.pcap.out | 78 +-- tests/result/facebook.pcap.out | 4 +- tests/result/fix.pcap.out | 22 +- tests/result/http_ipv6.pcap.out | 20 +- tests/result/msnms.pcap.out | 10 +- tests/result/mssql_tds.pcap.out | 24 +- tests/result/netflix.pcap.out | 118 ++--- tests/result/nintendo.pcap.out | 40 +- tests/result/ocs.pcap.out | 38 +- tests/result/ookla.pcap.out | 4 +- tests/result/openvpn.pcap.out | 6 +- tests/result/pps.pcap.out | 194 ++++---- tests/result/quic.pcap.out | 18 +- tests/result/quickplay.pcap.out | 42 +- tests/result/rx.pcap.out | 10 +- tests/result/skype-conference-call.pcap.out | 3 + tests/result/skype.pcap.out | 584 +++++++++++------------ tests/result/skype_no_unknown.pcap.out | 528 ++++++++++---------- tests/result/starcraft_battle.pcap.out | 104 ++-- tests/result/teredo.pcap.out | 6 +- tests/result/tinc.pcap.out | 8 +- tests/result/tor.pcap.out | 22 +- tests/result/ubntac2.pcap.out | 6 +- tests/result/viber_mobile.pcap.out | 152 +++--- tests/result/vnc.pcap.out | 4 +- tests/result/waze.pcap.out | 58 +-- tests/result/webex.pcap.out | 114 ++--- tests/result/wechat.pcap.out | 202 ++++---- tests/result/weibo.pcap.out | 88 ++-- tests/result/whatsapp_login_call.pcap.out | 102 ++-- tests/result/whatsapp_login_chat.pcap.out | 18 +- tests/result/whatsapp_voice_and_message.pcap.out | 26 +- tests/result/youtube_quic.pcap.out | 6 +- 47 files changed, 1708 insertions(+), 1662 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 189321968..e0dda2cab 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -97,7 +97,15 @@ static time_t capture_for = 0; static time_t capture_until = 0; static u_int32_t num_flows; -struct info_pair{ +struct flow_info { + struct ndpi_flow_info *flow; + u_int16_t thread_id; +}; + +static struct flow_info *all_flows; + + +struct info_pair { char addr[48]; char proto[48]; /*app level protocol*/ int count; @@ -167,7 +175,7 @@ static u_int16_t extcap_packet_filter = (u_int16_t)-1; // struct associated to a workflow for a thread struct reader_thread { - struct ndpi_workflow * workflow; + struct ndpi_workflow *workflow; pthread_t pthread; u_int64_t last_idle_scan_time; u_int32_t idle_scan_idx; @@ -331,6 +339,13 @@ int cmpProto(const void *_a, const void *_b) { return(strcmp(a->name, b->name)); } +int cmpFlows(const void *_a, const void *_b) { + struct flow_info *a = (struct flow_info*)_a; + struct flow_info *b = (struct flow_info*)_b; + + return((a->flow->src2dst_bytes + a->flow->dst2src_bytes) < (b->flow->src2dst_bytes + b->flow->dst2src_bytes) ? 1 : -1); +} + void extcap_config() { int i, argidx = 0; struct ndpi_detection_module_struct *ndpi_mod; @@ -555,8 +570,7 @@ static void parseOptions(int argc, char **argv) { } } - if(!bpf_filter_flag) { - + if(!bpf_filter_flag) { if(do_capture) { quiet_mode = 1; extcap_capture(); @@ -670,7 +684,7 @@ char* intoaV4(u_int32_t addr, char* buf, u_int16_t bufLen) { /** * @brief Print the flow */ -static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { +static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t thread_id) { #ifdef HAVE_JSON_C json_object *jObj; #endif @@ -680,7 +694,7 @@ static void printFlow(u_int16_t thread_id, struct ndpi_flow_info *flow) { return; if(!json_flag) { - fprintf(out, "\t%u", ++num_flows); + fprintf(out, "\t%u", id); fprintf(out, "\t%s ", ipProto2Name(flow->protocol)); @@ -785,8 +799,11 @@ static void node_print_unknown_proto_walker(const void *node, ndpi_VISIT which, if(flow->detected_protocol.app_protocol != NDPI_PROTOCOL_UNKNOWN) return; - if((which == ndpi_preorder) || (which == ndpi_leaf)) /* Avoid walking the same node multiple times */ - printFlow(thread_id, flow); + if((which == ndpi_preorder) || (which == ndpi_leaf)) { + /* Avoid walking the same node multiple times */ + all_flows[num_flows].thread_id = thread_id, all_flows[num_flows].flow = flow; + num_flows++; + } } /** @@ -799,8 +816,11 @@ static void node_print_known_proto_walker(const void *node, ndpi_VISIT which, in if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) return; - if((which == ndpi_preorder) || (which == ndpi_leaf)) /* Avoid walking the same node multiple times */ - printFlow(thread_id, flow); + if((which == ndpi_preorder) || (which == ndpi_leaf)) { + /* Avoid walking the same node multiple times */ + all_flows[num_flows].thread_id = thread_id, all_flows[num_flows].flow = flow; + num_flows++; + } } @@ -837,7 +857,6 @@ static void node_proto_guess_walker(const void *node, ndpi_VISIT which, int dept if(enable_protocol_guess) { if(flow->detected_protocol.app_protocol == NDPI_PROTOCOL_UNKNOWN) { node_guess_undetected_protocol(thread_id, flow); - // printFlow(thread_id, flow); } } @@ -885,6 +904,7 @@ void updateScanners(struct single_flow_info **scanners, const char *saddr, u_int HASH_ADD_INT(f->ports, port, pp); } + else pp->num_flows++; } } @@ -1148,7 +1168,7 @@ static void on_protocol_discovered(struct ndpi_workflow * workflow, } } - printFlow(thread_id, flow); + // printFlow(thread_id, flow); } } @@ -1804,7 +1824,16 @@ static void printResults(u_int64_t tot_usec) { if((verbose == 1) || (verbose == 2)) { FILE *out = results_file ? results_file : stdout; + u_int32_t total_flows = 0; + + for(thread_id = 0; thread_id < num_threads; thread_id++) + total_flows += ndpi_thread_info[thread_id].workflow->num_allocated_flows; + if((all_flows = (struct flow_info*)malloc(sizeof(struct flow_info)*total_flows)) == NULL) { + printf("Fatal error: not enough memory\n"); + exit(-1); + } + if(!json_flag) fprintf(out, "\n"); num_flows = 0; @@ -1813,6 +1842,11 @@ static void printResults(u_int64_t tot_usec) { ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], node_print_known_proto_walker, &thread_id); } + qsort(all_flows, num_flows, sizeof(struct flow_info), cmpFlows); + + for(i=0; istats.protocol_counter[0 /* 0 = Unknown */] > 0) { if(!json_flag) { @@ -1834,6 +1868,13 @@ static void printResults(u_int64_t tot_usec) { ndpi_twalk(ndpi_thread_info[thread_id].workflow->ndpi_flows_root[i], node_print_unknown_proto_walker, &thread_id); } } + + qsort(all_flows, num_flows, sizeof(struct flow_info), cmpFlows); + + for(i=0; indpi_struct, NDPI_LOG_ERROR, "[NDPI] %s(1): not enough memory\n", __FUNCTION__); return(NULL); - } + } else + workflow->num_allocated_flows++; memset(newflow, 0, sizeof(struct ndpi_flow_info)); newflow->hashval = hashval; @@ -544,6 +544,7 @@ static struct ndpi_proto packet_processing(struct ndpi_workflow * workflow, /* TODO: When half_free is deprecated, get rid of this */ ndpi_free_flow_info_half(flow); } + return(flow->detected_protocol); } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 45101cf10..5fe3dc66b 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -130,6 +130,7 @@ typedef struct ndpi_workflow { /* allocated by prefs */ void **ndpi_flows_root; struct ndpi_detection_module_struct *ndpi_struct; + u_int32_t num_allocated_flows; } ndpi_workflow_t; diff --git a/tests/result/1kxun.pcap.out b/tests/result/1kxun.pcap.out index 660bc2372..a716fa8e4 100644 --- a/tests/result/1kxun.pcap.out +++ b/tests/result/1kxun.pcap.out @@ -15,135 +15,135 @@ Google 3 176 1 LLMNR 89 6799 47 1kxun 952 531718 21 - 1 TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91/SSL][13 pkts/6269 bytes <-> 10 pkts/1165 bytes] - 2 TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7.205/HTTP.1kxun][260 pkts/15070 bytes <-> 159 pkts/168623 bytes][Host: 183.131.48.144] - 3 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] - 4 UDP [fe80::9bd:81dd:2fdc:5750]:61548 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] - 5 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 6 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][client: 1] - 7 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][client: 1] - 8 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][client: 1] - 9 UDP [fe80::9bd:81dd:2fdc:5750]:64568 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] - 10 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav] - 11 TCP 192.168.5.16:53627 <-> 203.69.81.73:80 [proto: 7.205/HTTP.1kxun][6 pkts/676 bytes <-> 8 pkts/8822 bytes][Host: dl-obs.official.line.naver.jp] - 12 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 13 UDP 192.168.5.16:63372 <-> 168.95.1.1:53 [proto: 5/DNS][1 pkts/89 bytes <-> 1 pkts/289 bytes][Host: dl-obs.official.line.naver.jp] - 14 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] - 15 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] - 16 TCP 192.168.115.8:49607 <-> 218.244.135.170:9099 [proto: 7.205/HTTP.1kxun][10 pkts/880 bytes <-> 3 pkts/572 bytes][Host: 218.244.135.170:9099] - 17 UDP 192.168.5.48:49701 -> 239.255.255.250:1900 [proto: 12/SSDP][7 pkts/1253 bytes -> 0 pkts/0 bytes] - 18 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 19 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 20 UDP 192.168.5.44:51389 -> 239.255.255.250:1900 [proto: 12/SSDP][13 pkts/2275 bytes -> 0 pkts/0 bytes] - 21 UDP 192.168.5.16:68 <-> 192.168.119.1:67 [proto: 18/DHCP][2 pkts/684 bytes <-> 2 pkts/684 bytes][Host: macbook-air] - 22 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 23 UDP 192.168.101.33:55485 -> 239.255.255.250:1900 [proto: 12/SSDP][10 pkts/1750 bytes -> 0 pkts/0 bytes] - 24 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] - 25 UDP 192.168.115.8:51024 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][2 pkts/160 bytes <-> 1 pkts/112 bytes][Host: jp.kankan.1kxun.mobi] - 26 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/2450 bytes -> 0 pkts/0 bytes] - 27 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 28 UDP 192.168.5.37:57325 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1575 bytes -> 0 pkts/0 bytes] - 29 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 30 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 31 UDP 192.168.115.8:54420 <-> 8.8.8.8:53 [proto: 5.48/DNS.QQ][2 pkts/150 bytes <-> 1 pkts/116 bytes][Host: vv.video.qq.com] - 32 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: kasper-mac] - 33 UDP 192.168.5.47:60267 -> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1432 bytes -> 0 pkts/0 bytes] - 34 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 125/Skype][2 pkts/132 bytes -> 0 pkts/0 bytes] - 35 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 36 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 37 UDP 192.168.115.8:60724 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][2 pkts/146 bytes <-> 1 pkts/137 bytes][Host: pic.1kxun.com] - 38 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 39 UDP 192.168.5.49:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/8473 bytes -> 0 pkts/0 bytes] - 40 TCP 192.168.115.8:49609 <-> 42.120.51.152:8080 [proto: 7.205/HTTP.1kxun][20 pkts/4716 bytes <-> 13 pkts/7005 bytes][Host: 42.120.51.152:8080] - 41 TCP 192.168.5.16:53624 <-> 68.233.253.133:80 [proto: 7.205/HTTP.1kxun][7 pkts/996 bytes <-> 5 pkts/986 bytes][Host: api.magicansoft.com] - 42 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 43 TCP 192.168.115.8:49600 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][18 pkts/1722 bytes <-> 51 pkts/61707 bytes][Host: pic.1kxun.com] - 44 TCP 192.168.115.8:49606 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][22 pkts/1926 bytes <-> 28 pkts/33821 bytes][Host: jp.kankan.1kxun.mobi] - 45 TCP 192.168.115.8:49602 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][24 pkts/2786 bytes <-> 41 pkts/46203 bytes][Host: pic.1kxun.com] - 46 TCP 192.168.115.8:49604 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][20 pkts/2564 bytes <-> 38 pkts/43013 bytes][Host: pic.1kxun.com] - 47 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][1 pkts/98 bytes -> 0 pkts/0 bytes] - 48 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 49 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][4 pkts/1368 bytes -> 0 pkts/0 bytes][Host: shen] - 50 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 51 TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 7.205/HTTP.1kxun][10 pkts/1428 bytes <-> 4 pkts/867 bytes][Host: 183.131.48.145] - 52 UDP 192.168.115.8:52723 <-> 168.95.1.1:53 [proto: 5.205/DNS.1kxun][2 pkts/152 bytes <-> 1 pkts/108 bytes][Host: kankan.1kxun.com] - 53 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Host: vv.video.qq.com] - 54 TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/SSL][4 pkts/220 bytes <-> 2 pkts/132 bytes] - 55 UDP [fe80::9bd:81dd:2fdc:5750]:1900 -> [ff02::c]:1900 [proto: 12/SSDP][16 pkts/8921 bytes -> 0 pkts/0 bytes] - 56 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/SSL][1 pkts/60 bytes <-> 1 pkts/60 bytes] - 57 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][client: 1] - 58 TCP 192.168.5.16:53628 <-> 203.69.81.73:80 [proto: 7.205/HTTP.1kxun][6 pkts/676 bytes <-> 8 pkts/8482 bytes][Host: dl-obs.official.line.naver.jp] - 59 TCP 192.168.115.8:49598 <-> 222.73.254.167:80 [proto: 7.205/HTTP.1kxun][10 pkts/1406 bytes <-> 4 pkts/980 bytes][Host: kankan.1kxun.com] - 60 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] - 61 UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][5 pkts/490 bytes -> 0 pkts/0 bytes] - 62 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 63 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 64 UDP 192.168.115.8:51458 -> 224.0.0.252:5355 [proto: 154/LLMNR][4 pkts/256 bytes -> 0 pkts/0 bytes][Host: wpad] - 65 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] - 66 UDP 192.168.5.49:51704 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1611 bytes -> 0 pkts/0 bytes] - 67 UDP 192.168.115.8:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][6 pkts/552 bytes -> 0 pkts/0 bytes] - 68 UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][2 pkts/549 bytes -> 0 pkts/0 bytes] - 69 UDP 192.168.5.45:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][2 pkts/184 bytes -> 0 pkts/0 bytes] - 70 UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][3 pkts/648 bytes -> 0 pkts/0 bytes] - 71 UDP 192.168.3.236:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][13 pkts/1196 bytes -> 0 pkts/0 bytes] - 72 UDP 192.168.0.104:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][3 pkts/276 bytes -> 0 pkts/0 bytes] - 73 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 74 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 75 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] - 76 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] - 77 UDP 192.168.5.41:55312 -> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1400 bytes -> 0 pkts/0 bytes] - 78 UDP 192.168.5.9:55484 -> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes -> 0 pkts/0 bytes] - 79 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/182 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 80 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] - 81 UDP 192.168.115.8:52723 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][2 pkts/152 bytes <-> 1 pkts/108 bytes][Host: kankan.1kxun.com] - 82 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 83 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 84 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 85 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-pc] - 86 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] - 87 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav] - 88 UDP 192.168.3.95:59468 -> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes -> 0 pkts/0 bytes] - 89 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] - 90 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 91.119/SSL.Facebook][4 pkts/2050 bytes <-> 5 pkts/2297 bytes] - 91 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 91.119/SSL.Facebook][5 pkts/1006 bytes <-> 5 pkts/1487 bytes] - 92 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 93 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 94 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 95 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] - 96 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] - 97 UDP 192.168.5.50:64674 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1611 bytes -> 0 pkts/0 bytes] - 98 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] - 99 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] - 100 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][2 pkts/110 bytes <-> 1 pkts/66 bytes] - 101 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][14 pkts/4788 bytes -> 0 pkts/0 bytes] - 102 UDP 192.168.5.9:68 -> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: joanna-pc] - 103 UDP 192.168.5.41:68 -> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: kevin-pc] - 104 UDP [fe80::beee:7bff:fe0c:b3de]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][4 pkts/392 bytes -> 0 pkts/0 bytes] - 105 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc] - 106 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/82 bytes -> 0 pkts/0 bytes] - 107 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][2 pkts/126 bytes -> 0 pkts/0 bytes] - 108 TCP 192.168.5.16:53613 -> 68.233.253.133:80 [proto: 7/HTTP][3 pkts/198 bytes -> 0 pkts/0 bytes] + 1 TCP 192.168.115.8:49613 <-> 183.131.48.144:80 [proto: 7.205/HTTP.1kxun][260 pkts/15070 bytes <-> 159 pkts/168623 bytes][Host: 183.131.48.144] + 2 TCP 192.168.115.8:49600 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][18 pkts/1722 bytes <-> 51 pkts/61707 bytes][Host: pic.1kxun.com] + 3 TCP 192.168.115.8:49601 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][18 pkts/2440 bytes <-> 43 pkts/49237 bytes][Host: pic.1kxun.com] + 4 TCP 192.168.115.8:49602 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][24 pkts/2786 bytes <-> 41 pkts/46203 bytes][Host: pic.1kxun.com] + 5 TCP 192.168.115.8:49604 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][20 pkts/2564 bytes <-> 38 pkts/43013 bytes][Host: pic.1kxun.com] + 6 TCP 192.168.115.8:49606 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][22 pkts/1926 bytes <-> 28 pkts/33821 bytes][Host: jp.kankan.1kxun.mobi] + 7 TCP 192.168.115.8:49599 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][16 pkts/1612 bytes <-> 27 pkts/29579 bytes][Host: pic.1kxun.com] + 8 TCP 192.168.115.8:49603 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][12 pkts/1396 bytes <-> 22 pkts/24184 bytes][Host: pic.1kxun.com] + 9 TCP 192.168.115.8:49609 <-> 42.120.51.152:8080 [proto: 7.205/HTTP.1kxun][20 pkts/4716 bytes <-> 13 pkts/7005 bytes][Host: 42.120.51.152:8080] + 10 TCP 192.168.5.16:53627 <-> 203.69.81.73:80 [proto: 7.205/HTTP.1kxun][6 pkts/676 bytes <-> 8 pkts/8822 bytes][Host: dl-obs.official.line.naver.jp] + 11 TCP 192.168.5.16:53628 <-> 203.69.81.73:80 [proto: 7.205/HTTP.1kxun][6 pkts/676 bytes <-> 8 pkts/8482 bytes][Host: dl-obs.official.line.naver.jp] + 12 UDP [fe80::9bd:81dd:2fdc:5750]:1900 -> [ff02::c]:1900 [proto: 12/SSDP][16 pkts/8921 bytes -> 0 pkts/0 bytes] + 13 UDP 192.168.5.49:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/8473 bytes -> 0 pkts/0 bytes] + 14 TCP 119.235.235.84:443 <-> 192.168.5.16:53406 [proto: 91/SSL][13 pkts/6269 bytes <-> 10 pkts/1165 bytes] + 15 TCP 192.168.115.8:49608 <-> 203.205.151.234:80 [proto: 7.48/HTTP.QQ][18 pkts/3550 bytes <-> 7 pkts/1400 bytes][Host: vv.video.qq.com] + 16 UDP 192.168.119.1:67 -> 255.255.255.255:68 [proto: 18/DHCP][14 pkts/4788 bytes -> 0 pkts/0 bytes] + 17 TCP 192.168.5.16:53580 <-> 31.13.87.36:443 [proto: 91.119/SSL.Facebook][4 pkts/2050 bytes <-> 5 pkts/2297 bytes] + 18 TCP 192.168.5.16:53623 <-> 192.168.115.75:443 [proto: 91/SSL][11 pkts/1959 bytes <-> 8 pkts/1683 bytes][client: 1] + 19 TCP 192.168.5.16:53625 <-> 192.168.115.75:443 [proto: 91/SSL][11 pkts/1955 bytes <-> 8 pkts/1683 bytes][client: 1] + 20 TCP 192.168.5.16:53629 <-> 192.168.115.75:443 [proto: 91/SSL][10 pkts/1895 bytes <-> 7 pkts/1623 bytes][client: 1] + 21 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Host: jp.kankan.1kxun.mobi] + 22 TCP 192.168.5.16:53626 <-> 192.168.115.75:443 [proto: 91/SSL][11 pkts/1943 bytes <-> 8 pkts/1267 bytes][client: 1] + 23 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Host: jp.kankan.1kxun.mobi] + 24 TCP 31.13.87.1:443 <-> 192.168.5.16:53578 [proto: 91.119/SSL.Facebook][5 pkts/1006 bytes <-> 5 pkts/1487 bytes] + 25 UDP 192.168.5.57:55809 -> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/2450 bytes -> 0 pkts/0 bytes] + 26 TCP 192.168.115.8:49598 <-> 222.73.254.167:80 [proto: 7.205/HTTP.1kxun][10 pkts/1406 bytes <-> 4 pkts/980 bytes][Host: kankan.1kxun.com] + 27 TCP 192.168.115.8:49612 <-> 183.131.48.145:80 [proto: 7.205/HTTP.1kxun][10 pkts/1428 bytes <-> 4 pkts/867 bytes][Host: 183.131.48.145] + 28 UDP 192.168.5.44:51389 -> 239.255.255.250:1900 [proto: 12/SSDP][13 pkts/2275 bytes -> 0 pkts/0 bytes] + 29 UDP 192.168.5.9:55484 -> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes -> 0 pkts/0 bytes] + 30 UDP 192.168.3.95:59468 -> 239.255.255.250:1900 [proto: 12/SSDP][12 pkts/2100 bytes -> 0 pkts/0 bytes] + 31 TCP 192.168.5.16:53624 <-> 68.233.253.133:80 [proto: 7.205/HTTP.1kxun][7 pkts/996 bytes <-> 5 pkts/986 bytes][Host: api.magicansoft.com] + 32 UDP 192.168.101.33:55485 -> 239.255.255.250:1900 [proto: 12/SSDP][10 pkts/1750 bytes -> 0 pkts/0 bytes] + 33 UDP 192.168.5.49:51704 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1611 bytes -> 0 pkts/0 bytes] + 34 UDP 192.168.5.50:64674 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1611 bytes -> 0 pkts/0 bytes] + 35 UDP 192.168.5.37:57325 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1575 bytes -> 0 pkts/0 bytes] + 36 TCP 192.168.115.8:49607 <-> 218.244.135.170:9099 [proto: 7.205/HTTP.1kxun][10 pkts/880 bytes <-> 3 pkts/572 bytes][Host: 218.244.135.170:9099] + 37 UDP 192.168.5.47:60267 -> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1432 bytes -> 0 pkts/0 bytes] + 38 UDP 192.168.5.41:55312 -> 239.255.255.250:1900 [proto: 12/SSDP][8 pkts/1400 bytes -> 0 pkts/0 bytes] + 39 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][4 pkts/1368 bytes -> 0 pkts/0 bytes][Host: shen] + 40 UDP 192.168.5.16:68 <-> 192.168.119.1:67 [proto: 18/DHCP][2 pkts/684 bytes <-> 2 pkts/684 bytes][Host: macbook-air] + 41 UDP 192.168.5.48:49701 -> 239.255.255.250:1900 [proto: 12/SSDP][7 pkts/1253 bytes -> 0 pkts/0 bytes] + 42 UDP 192.168.3.236:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][13 pkts/1196 bytes -> 0 pkts/0 bytes] + 43 UDP 192.168.5.45:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][3 pkts/648 bytes -> 0 pkts/0 bytes] + 44 UDP 192.168.115.8:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][6 pkts/552 bytes -> 0 pkts/0 bytes] + 45 UDP 192.168.5.67:138 -> 192.168.255.255:138 [proto: 10/NetBIOS][2 pkts/549 bytes -> 0 pkts/0 bytes] + 46 UDP [fe80::406:55a8:6453:25dd]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][5 pkts/490 bytes -> 0 pkts/0 bytes] + 47 UDP [fe80::beee:7bff:fe0c:b3de]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][4 pkts/392 bytes -> 0 pkts/0 bytes] + 48 UDP 192.168.5.16:63372 <-> 168.95.1.1:53 [proto: 5/DNS][1 pkts/89 bytes <-> 1 pkts/289 bytes][Host: dl-obs.official.line.naver.jp] + 49 TCP 192.168.115.8:49596 <-> 203.66.182.87:443 [proto: 91/SSL][4 pkts/220 bytes <-> 2 pkts/132 bytes] + 50 UDP 192.168.5.9:68 -> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: joanna-pc] + 51 UDP 192.168.5.41:68 -> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 52 UDP 192.168.115.8:60724 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][2 pkts/146 bytes <-> 1 pkts/137 bytes][Host: pic.1kxun.com] + 53 UDP 192.168.0.104:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][3 pkts/276 bytes -> 0 pkts/0 bytes] + 54 UDP 192.168.115.8:51024 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][2 pkts/160 bytes <-> 1 pkts/112 bytes][Host: jp.kankan.1kxun.mobi] + 55 UDP 192.168.115.8:54420 <-> 8.8.8.8:53 [proto: 5.48/DNS.QQ][2 pkts/150 bytes <-> 1 pkts/116 bytes][Host: vv.video.qq.com] + 56 UDP 192.168.115.8:52723 <-> 168.95.1.1:53 [proto: 5.205/DNS.1kxun][2 pkts/152 bytes <-> 1 pkts/108 bytes][Host: kankan.1kxun.com] + 57 UDP 192.168.115.8:52723 <-> 8.8.8.8:53 [proto: 5.205/DNS.1kxun][2 pkts/152 bytes <-> 1 pkts/108 bytes][Host: kankan.1kxun.com] + 58 UDP 192.168.115.8:51458 -> 224.0.0.252:5355 [proto: 154/LLMNR][4 pkts/256 bytes -> 0 pkts/0 bytes][Host: wpad] + 59 TCP 192.168.5.16:53613 -> 68.233.253.133:80 [proto: 7/HTTP][3 pkts/198 bytes -> 0 pkts/0 bytes] + 60 UDP [fe80::9bd:81dd:2fdc:5750]:61548 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] + 61 UDP [fe80::9bd:81dd:2fdc:5750]:64568 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/190 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] + 62 UDP 192.168.5.45:137 -> 192.168.255.255:137 [proto: 10/NetBIOS][2 pkts/184 bytes -> 0 pkts/0 bytes] + 63 UDP [fe80::e98f:bae2:19f7:6b0f]:58779 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] + 64 UDP [fe80::e98f:bae2:19f7:6b0f]:51451 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] + 65 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] + 66 UDP [fe80::e034:7be:d8f9:6197]:49766 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/182 bytes -> 0 pkts/0 bytes][Host: charming-pc] + 67 UDP [fe80::5d92:62a8:ebde:1319]:49735 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] + 68 UDP [fe80::5d92:62a8:ebde:1319]:58468 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/178 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] + 69 UDP [fe80::4568:efbc:40b1:1346]:50194 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 70 TCP 192.168.115.8:49581 <-> 64.233.189.128:80 [proto: 7.126/HTTP.Google][2 pkts/110 bytes <-> 1 pkts/66 bytes] + 71 UDP [fe80::4568:efbc:40b1:1346]:57148 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 72 UDP [fe80::5d92:62a8:ebde:1319]:61172 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/174 bytes -> 0 pkts/0 bytes][Host: sonusav] + 73 UDP [fe80::5d92:62a8:ebde:1319]:63659 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] + 74 UDP [fe80::5d92:62a8:ebde:1319]:53938 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: isatap] + 75 UDP [fe80::edf5:240a:c8c0:8312]:61603 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] + 76 UDP [fe80::edf5:240a:c8c0:8312]:53962 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: ro_x1c] + 77 UDP 192.168.5.49:61548 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] + 78 UDP 192.168.5.49:64568 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/150 bytes -> 0 pkts/0 bytes][Host: caesar-thinkpad] + 79 UDP 192.168.3.95:54888 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] + 80 UDP 192.168.3.95:58779 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] + 81 UDP 192.168.3.95:51451 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/144 bytes -> 0 pkts/0 bytes][Host: 小佛專機] + 82 UDP 192.168.5.50:57143 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc] + 83 UDP 192.168.5.50:62756 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/142 bytes -> 0 pkts/0 bytes][Host: charming-pc] + 84 UDP 192.168.5.48:59797 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: kasper-mac] + 85 UDP 192.168.3.236:62069 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] + 86 UDP 192.168.3.236:65496 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: wangs-ltw] + 87 UDP 192.168.5.9:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] + 88 UDP 192.168.101.33:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] + 89 UDP 192.168.5.9:58456 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] + 90 UDP 192.168.101.33:62822 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/138 bytes -> 0 pkts/0 bytes][Host: joanna-pc] + 91 UDP 192.168.5.44:59571 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] + 92 UDP 192.168.5.37:54506 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] + 93 UDP 192.168.5.41:54470 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 94 UDP 192.168.5.57:64428 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] + 95 UDP 192.168.5.57:65150 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: usher-pc] + 96 UDP 192.168.5.44:58702 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: jason-pc] + 97 UDP 192.168.5.37:56366 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: notebook] + 98 UDP 192.168.5.47:61603 -> 224.0.0.252:5355 [proto: 125/Skype][2 pkts/132 bytes -> 0 pkts/0 bytes] + 99 UDP 192.168.3.236:56043 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] + 100 UDP 192.168.5.47:53962 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: ro_x1c] + 101 UDP 192.168.3.236:51714 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/132 bytes -> 0 pkts/0 bytes][Host: isatap] + 102 TCP 192.168.5.16:53605 -> 68.233.253.133:80 [proto: 7/HTTP][2 pkts/126 bytes -> 0 pkts/0 bytes] + 103 TCP 192.168.5.16:53622 <-> 192.168.115.75:443 [proto: 91/SSL][1 pkts/60 bytes <-> 1 pkts/60 bytes] + 104 UDP [fe80::f65c:89ff:fe89:e607]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][1 pkts/98 bytes -> 0 pkts/0 bytes] + 105 UDP 192.168.5.45:59789 -> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] + 106 UDP 192.168.5.45:59461 -> 192.168.255.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] + 107 UDP [fe80::e034:7be:d8f9:6197]:57143 -> [ff02::1:3]:5355 [proto: 154/LLMNR][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc] + 108 UDP [fe80::e034:7be:d8f9:6197]:62756 -> [ff02::1:3]:5355 [proto: 154/LLMNR][1 pkts/91 bytes -> 0 pkts/0 bytes][Host: charming-pc] 109 UDP 192.168.5.16:123 -> 17.253.26.125:123 [proto: 9/NTP][1 pkts/90 bytes -> 0 pkts/0 bytes] - 110 TCP 192.168.115.8:49597 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][10 pkts/1394 bytes <-> 4 pkts/1464 bytes][Host: jp.kankan.1kxun.mobi] - 111 TCP 192.168.115.8:49599 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][16 pkts/1612 bytes <-> 27 pkts/29579 bytes][Host: pic.1kxun.com] - 112 TCP 192.168.115.8:49605 <-> 106.185.35.110:80 [proto: 7.205/HTTP.1kxun][8 pkts/1128 bytes <-> 5 pkts/2282 bytes][Host: jp.kankan.1kxun.mobi] - 113 TCP 192.168.115.8:49601 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][18 pkts/2440 bytes <-> 43 pkts/49237 bytes][Host: pic.1kxun.com] - 114 TCP 192.168.115.8:49603 <-> 106.187.35.246:80 [proto: 7.205/HTTP.1kxun][12 pkts/1396 bytes <-> 22 pkts/24184 bytes][Host: pic.1kxun.com] - 115 UDP [fe80::e98f:bae2:19f7:6b0f]:54888 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/184 bytes -> 0 pkts/0 bytes][Host: 小佛專機] + 110 UDP 192.168.5.64:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/82 bytes -> 0 pkts/0 bytes] + 111 UDP 192.168.5.50:49766 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc] + 112 UDP 192.168.5.50:50030 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/71 bytes -> 0 pkts/0 bytes][Host: charming-pc] + 113 UDP 192.168.5.41:55593 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: kevin-pc] + 114 UDP 192.168.5.44:59062 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/68 bytes -> 0 pkts/0 bytes][Host: jason-pc] + 115 UDP 192.168.3.236:59730 -> 224.0.0.252:5355 [proto: 154/LLMNR][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: sonusav] Undetected flows: - 1 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes] - 2 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes -> 0 pkts/0 bytes] - 3 UDP 192.168.10.110:60480 -> 255.255.255.255:62976 [proto: 0/Unknown][5 pkts/1795 bytes -> 0 pkts/0 bytes] + 1 UDP 192.168.10.110:60480 -> 255.255.255.255:62976 [proto: 0/Unknown][5 pkts/1795 bytes -> 0 pkts/0 bytes] + 2 UDP [2001:b030:214:100:c2a0:bbff:fe73:eb47]:62976 -> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes -> 0 pkts/0 bytes] + 3 UDP [2001:b020:6::c2a0:bbff:fe73:eb57]:62976 -> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes -> 0 pkts/0 bytes] 4 UDP 192.168.125.30:62976 -> 255.255.255.255:62976 [proto: 0/Unknown][2 pkts/718 bytes -> 0 pkts/0 bytes] 5 UDP 192.168.10.7:62976 -> 255.255.255.255:62976 [proto: 0/Unknown][2 pkts/718 bytes -> 0 pkts/0 bytes] 6 UDP 192.168.140.140:62976 -> 255.255.255.255:62976 [proto: 0/Unknown][1 pkts/359 bytes -> 0 pkts/0 bytes] - 7 UDP [2001:b030:214:100:c2a0:bbff:fe73:eb47]:62976 -> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes -> 0 pkts/0 bytes] - 8 UDP [2001:b020:6::c2a0:bbff:fe73:eb57]:62976 -> [ff02::1]:62976 [proto: 0/Unknown][2 pkts/782 bytes -> 0 pkts/0 bytes] + 7 UDP [fe80::4e5e:cff:feea:365]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/197 bytes -> 0 pkts/0 bytes] + 8 UDP [fe80::4e5e:cff:fe9a:ec54]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/185 bytes -> 0 pkts/0 bytes] 9 UDP 192.168.119.1:56861 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/177 bytes -> 0 pkts/0 bytes] 10 UDP 59.120.208.218:50151 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes] - 11 UDP [fe80::4e5e:cff:fe9a:ec54]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/185 bytes -> 0 pkts/0 bytes] - 12 UDP [fe80::4e5e:cff:feea:365]:5678 -> [ff02::1]:5678 [proto: 0/Unknown][1 pkts/197 bytes -> 0 pkts/0 bytes] - 13 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/163 bytes -> 0 pkts/0 bytes] + 11 UDP 192.168.2.186:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][2 pkts/164 bytes -> 0 pkts/0 bytes] + 12 UDP 192.168.119.2:43786 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/163 bytes -> 0 pkts/0 bytes] + 13 UDP 192.168.0.100:50925 -> 255.255.255.255:5678 [proto: 0/Unknown][1 pkts/142 bytes -> 0 pkts/0 bytes] 14 UDP 59.120.208.212:32768 -> 255.255.255.255:1947 [proto: 0/Unknown][1 pkts/82 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/6in4tunnel.pcap.out b/tests/result/6in4tunnel.pcap.out index d170a55aa..b32ab138a 100644 --- a/tests/result/6in4tunnel.pcap.out +++ b/tests/result/6in4tunnel.pcap.out @@ -4,13 +4,13 @@ SSL 28 15397 1 ICMPV6 48 7862 3 Facebook 37 14726 3 - 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][client: www.facebook.com][server: *.facebook.com] - 2 UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][1 pkts/133 bytes <-> 1 pkts/261 bytes][Host: star.c10r.facebook.com] - 3 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][client: mail.tomasu.net][server: mail.tomasu.net] - 4 ICMPV6 [2001:470:1f16:13f::2]:0 -> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][1 pkts/200 bytes -> 0 pkts/0 bytes] + 1 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:60205 <-> [2604:a880:1:20::224:b001]:443 [proto: 91/SSL][14 pkts/2312 bytes <-> 14 pkts/13085 bytes][client: mail.tomasu.net][server: mail.tomasu.net] + 2 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:53234 <-> [2a03:2880:1010:6f03:face:b00c::2]:443 [proto: 91.119/SSL.Facebook][18 pkts/6894 bytes <-> 15 pkts/7032 bytes][client: www.facebook.com][server: *.facebook.com] + 3 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][23 pkts/3174 bytes <-> 23 pkts/3174 bytes] + 4 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Host: mail.tomasu.net] 5 ICMPV6 [2a03:2880:1010:6f03:face:b00c::2]:0 -> [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 [proto: 102/ICMPV6][1 pkts/1314 bytes -> 0 pkts/0 bytes] - 6 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:35610 [proto: 51/IMAPS][1 pkts/152 bytes <-> 1 pkts/106 bytes] - 7 ICMPV6 [2001:470:1f17:13f:3e97:eff:fe73:4dec]:0 <-> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][23 pkts/3174 bytes <-> 23 pkts/3174 bytes] - 8 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:56381 [proto: 51/IMAPS][1 pkts/152 bytes <-> 1 pkts/106 bytes] - 9 UDP [2001:470:1f16:13f::2]:53959 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][1 pkts/133 bytes <-> 1 pkts/273 bytes][Host: star.c10r.facebook.com] - 10 TCP [2001:470:1f17:13f:3e97:eff:fe73:4dec]:41538 <-> [2604:a880:1:20::224:b001]:80 [proto: 7/HTTP][6 pkts/786 bytes <-> 4 pkts/1006 bytes][Host: mail.tomasu.net] + 6 UDP [2001:470:1f16:13f::2]:53959 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][1 pkts/133 bytes <-> 1 pkts/273 bytes][Host: star.c10r.facebook.com] + 7 UDP [2001:470:1f16:13f::2]:6404 <-> [2a03:2880:fffe:b:face:b00c::99]:53 [proto: 5.119/DNS.Facebook][1 pkts/133 bytes <-> 1 pkts/261 bytes][Host: star.c10r.facebook.com] + 8 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:35610 [proto: 51/IMAPS][1 pkts/152 bytes <-> 1 pkts/106 bytes] + 9 TCP [2604:a880:1:20::224:b001]:993 <-> [2001:470:1f17:13f:6d69:c72:7313:616f]:56381 [proto: 51/IMAPS][1 pkts/152 bytes <-> 1 pkts/106 bytes] + 10 ICMPV6 [2001:470:1f16:13f::2]:0 -> [2604:a880:1:20::224:b001]:0 [proto: 102/ICMPV6][1 pkts/200 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/EAQ.pcap.out b/tests/result/EAQ.pcap.out index 663b6a9b5..187fced58 100644 --- a/tests/result/EAQ.pcap.out +++ b/tests/result/EAQ.pcap.out @@ -2,33 +2,33 @@ Google 23 11743 2 EAQ 174 10092 29 1 TCP 10.8.0.1:40467 <-> 173.194.119.24:80 [proto: 7.126/HTTP.Google][8 pkts/591 bytes <-> 6 pkts/9998 bytes][Host: www.google.com.br] - 2 UDP 10.8.0.1:34687 -> 200.194.141.68:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 3 UDP 10.8.0.1:36577 -> 200.194.149.68:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 4 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 7.126/HTTP.Google][5 pkts/390 bytes <-> 4 pkts/764 bytes][Host: www.google.com] - 5 UDP 10.8.0.1:37985 -> 200.194.129.67:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 6 UDP 10.8.0.1:39221 -> 200.194.137.67:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 7 UDP 10.8.0.1:39185 <-> 200.194.132.67:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] - 8 UDP 10.8.0.1:43641 <-> 200.194.148.68:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] - 9 UDP 10.8.0.1:43979 <-> 200.194.132.66:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] - 10 UDP 10.8.0.1:48563 -> 200.194.141.67:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 11 UDP 10.8.0.1:48890 <-> 200.185.125.226:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] - 12 UDP 10.8.0.1:50175 -> 200.194.149.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 13 UDP 10.8.0.1:51569 <-> 200.194.148.67:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] - 14 UDP 10.8.0.1:53059 -> 200.194.133.68:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 15 UDP 10.8.0.1:59959 -> 200.194.137.68:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 16 UDP 10.8.0.1:60013 -> 200.194.136.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 17 UDP 10.8.0.1:33356 -> 200.194.149.66:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 18 UDP 10.8.0.1:36552 -> 200.194.136.66:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 19 UDP 10.8.0.1:40058 -> 200.194.134.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 20 UDP 10.8.0.1:41438 -> 200.194.141.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 21 UDP 10.8.0.1:42620 <-> 200.194.148.66:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 2 TCP 10.8.0.1:53497 <-> 173.194.119.48:80 [proto: 7.126/HTTP.Google][5 pkts/390 bytes <-> 4 pkts/764 bytes][Host: www.google.com] + 3 UDP 10.8.0.1:52726 <-> 200.194.132.68:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 4 UDP 10.8.0.1:43641 <-> 200.194.148.68:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 5 UDP 10.8.0.1:39185 <-> 200.194.132.67:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 6 UDP 10.8.0.1:48890 <-> 200.185.125.226:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 7 UDP 10.8.0.1:52257 <-> 200.185.138.146:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 8 UDP 10.8.0.1:43979 <-> 200.194.132.66:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 9 UDP 10.8.0.1:51569 <-> 200.194.148.67:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 10 UDP 10.8.0.1:42620 <-> 200.194.148.66:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 11 UDP 10.8.0.1:41438 -> 200.194.141.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 12 UDP 10.8.0.1:53354 -> 200.194.137.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 13 UDP 10.8.0.1:56128 -> 200.194.133.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 14 UDP 10.8.0.1:48666 -> 200.194.129.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 15 UDP 10.8.0.1:48563 -> 200.194.141.67:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 16 UDP 10.8.0.1:39221 -> 200.194.137.67:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 17 UDP 10.8.0.1:37985 -> 200.194.129.67:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 18 UDP 10.8.0.1:47714 -> 200.194.129.68:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 19 UDP 10.8.0.1:59959 -> 200.194.137.68:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 20 UDP 10.8.0.1:34687 -> 200.194.141.68:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] + 21 UDP 10.8.0.1:57004 -> 200.194.133.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] 22 UDP 10.8.0.1:43934 -> 200.194.136.68:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] 23 UDP 10.8.0.1:47346 -> 200.194.134.66:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 24 UDP 10.8.0.1:47714 -> 200.194.129.68:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 25 UDP 10.8.0.1:48666 -> 200.194.129.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 26 UDP 10.8.0.1:52257 <-> 200.185.138.146:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] - 27 UDP 10.8.0.1:52726 <-> 200.194.132.68:6000 [proto: 190/EAQ][5 pkts/290 bytes <-> 5 pkts/290 bytes] - 28 UDP 10.8.0.1:53354 -> 200.194.137.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 29 UDP 10.8.0.1:56128 -> 200.194.133.66:6000 [proto: 190/EAQ][5 pkts/290 bytes -> 0 pkts/0 bytes] - 30 UDP 10.8.0.1:57004 -> 200.194.133.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] - 31 UDP 10.8.0.1:59098 -> 200.194.134.68:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 24 UDP 10.8.0.1:36552 -> 200.194.136.66:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 25 UDP 10.8.0.1:40058 -> 200.194.134.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 26 UDP 10.8.0.1:50175 -> 200.194.149.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 27 UDP 10.8.0.1:36577 -> 200.194.149.68:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 28 UDP 10.8.0.1:59098 -> 200.194.134.68:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 29 UDP 10.8.0.1:53059 -> 200.194.133.68:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 30 UDP 10.8.0.1:33356 -> 200.194.149.66:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] + 31 UDP 10.8.0.1:60013 -> 200.194.136.67:6000 [proto: 190/EAQ][4 pkts/232 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/Instagram.pcap.out b/tests/result/Instagram.pcap.out index cb0788864..9c7cc6395 100644 --- a/tests/result/Instagram.pcap.out +++ b/tests/result/Instagram.pcap.out @@ -6,37 +6,37 @@ Facebook 251 215986 5 Dropbox 5 725 2 Instagram 363 255094 16 - 1 UDP 192.168.0.106:17500 -> 192.168.0.255:17500 [proto: 121/Dropbox][1 pkts/145 bytes -> 0 pkts/0 bytes] - 2 UDP 192.168.0.103:26540 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/89 bytes <-> 1 pkts/209 bytes][Host: igcdn-photos-g-a.akamaihd.net] - 3 UDP 192.168.0.103:27124 -> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/85 bytes -> 0 pkts/0 bytes][Host: photos-b.ak.instagram.com] - 4 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][5 pkts/1279 bytes <-> 6 pkts/4118 bytes] - 5 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][5 pkts/1279 bytes <-> 5 pkts/4020 bytes] - 6 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][25 pkts/37100 bytes <-> 24 pkts/1584 bytes] - 7 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Host: photos-h.ak.instagram.com] + 1 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][103 pkts/150456 bytes <-> 47 pkts/3102 bytes] + 2 TCP 192.168.0.103:38816 <-> 46.33.70.160:80 [proto: 7.211/HTTP.Instagram][13 pkts/1118 bytes <-> 39 pkts/57876 bytes][Host: photos-h.ak.instagram.com] + 3 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Host: photos-g.ak.instagram.com] + 4 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com] + 5 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Host: photos-g.ak.instagram.com] + 6 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][34 pkts/5555 bytes <-> 34 pkts/40133 bytes] + 7 TCP 2.22.236.51:80 <-> 192.168.0.103:44151 [proto: 7/HTTP][25 pkts/37100 bytes <-> 24 pkts/1584 bytes] 8 TCP 192.168.0.103:33976 <-> 77.67.29.17:80 [proto: 7/HTTP][14 pkts/924 bytes <-> 20 pkts/28115 bytes] - 9 TCP 192.168.0.103:37350 -> 82.85.26.153:80 [proto: 7.211/HTTP.Instagram][1 pkts/324 bytes -> 0 pkts/0 bytes][Host: photos-a.ak.instagram.com] - 10 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] - 11 TCP 31.13.86.52:80 <-> 192.168.0.103:58216 [proto: 7.119/HTTP.Facebook][103 pkts/150456 bytes <-> 47 pkts/3102 bytes] - 12 TCP 192.168.0.103:57936 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][24 pkts/1837 bytes <-> 34 pkts/48383 bytes][Host: photos-g.ak.instagram.com] - 13 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 14 TCP 192.168.0.103:58052 <-> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][37 pkts/2702 bytes <-> 38 pkts/54537 bytes][Host: photos-g.ak.instagram.com] - 15 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/SSL.Instagram][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][client: telegraph-ash.instagram.com] - 16 UDP 192.168.0.106:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][4 pkts/580 bytes -> 0 pkts/0 bytes] - 17 UDP 192.168.0.103:33603 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/89 bytes <-> 1 pkts/209 bytes][Host: igcdn-photos-a-a.akamaihd.net] - 18 TCP 192.168.0.103:33936 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][34 pkts/5555 bytes <-> 34 pkts/40133 bytes] - 19 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91.119/SSL.Facebook][6 pkts/4699 bytes <-> 6 pkts/1345 bytes] + 9 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][16 pkts/22931 bytes <-> 9 pkts/594 bytes] + 10 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][client: igcdn-photos-g-a.akamaihd.net][server: a248.e.akamai.net] + 11 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][client: igcdn-photos-h-a.akamaihd.net][server: a248.e.akamai.net] + 12 TCP 31.13.93.52:443 <-> 192.168.0.103:33934 [proto: 91.119/SSL.Facebook][6 pkts/4699 bytes <-> 6 pkts/1345 bytes] + 13 TCP 192.168.0.103:41181 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] + 14 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] + 15 TCP 192.168.0.103:33763 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][5 pkts/1279 bytes <-> 6 pkts/4118 bytes] + 16 TCP 192.168.0.103:33935 <-> 31.13.93.52:443 [proto: 91.119/SSL.Facebook][5 pkts/1279 bytes <-> 5 pkts/4020 bytes] + 17 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Host: photos-f.ak.instagram.com] + 18 TCP 192.168.0.103:56382 <-> 173.252.107.4:443 [proto: 91.211/SSL.Instagram][9 pkts/1583 bytes <-> 8 pkts/1064 bytes][client: telegraph-ash.instagram.com] + 19 UDP 192.168.0.106:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][4 pkts/580 bytes -> 0 pkts/0 bytes] 20 ICMP 192.168.0.103:0 -> 192.168.0.103:0 [proto: 81/ICMP][5 pkts/510 bytes -> 0 pkts/0 bytes] - 21 TCP 192.168.0.103:38817 <-> 46.33.70.160:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 22 TCP 46.33.70.150:80 <-> 192.168.0.103:40855 [proto: 7/HTTP][1 pkts/74 bytes <-> 1 pkts/66 bytes] - 23 UDP 192.168.0.103:51219 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/89 bytes <-> 1 pkts/305 bytes][Host: igcdn-photos-h-a.akamaihd.net] - 24 TCP 192.168.0.103:44558 <-> 46.33.70.174:443 [proto: 91.211/SSL.Instagram][10 pkts/1545 bytes <-> 7 pkts/4824 bytes][client: igcdn-photos-h-a.akamaihd.net][server: a248.e.akamai.net] - 25 TCP 192.168.0.103:41182 <-> 82.85.26.154:443 [proto: 91.211/SSL.Instagram][8 pkts/896 bytes <-> 6 pkts/4671 bytes][client: igcdn-photos-a-a.akamaihd.net][server: a248.e.akamai.net] - 26 TCP 92.122.48.138:80 <-> 192.168.0.103:41562 [proto: 7/HTTP][16 pkts/22931 bytes <-> 9 pkts/594 bytes] - 27 TCP 192.168.0.103:44379 <-> 82.85.26.186:80 [proto: 7.211/HTTP.Instagram][41 pkts/3392 bytes <-> 40 pkts/50024 bytes][Host: photos-e.ak.instagram.com] + 21 UDP 192.168.0.103:51219 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/89 bytes <-> 1 pkts/305 bytes][Host: igcdn-photos-h-a.akamaihd.net] + 22 TCP 192.168.0.103:37350 -> 82.85.26.153:80 [proto: 7.211/HTTP.Instagram][1 pkts/324 bytes -> 0 pkts/0 bytes][Host: photos-a.ak.instagram.com] + 23 TCP 192.168.0.103:58053 -> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][1 pkts/321 bytes -> 0 pkts/0 bytes][Host: photos-g.ak.instagram.com] + 24 UDP 192.168.0.103:26540 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/89 bytes <-> 1 pkts/209 bytes][Host: igcdn-photos-g-a.akamaihd.net] + 25 UDP 192.168.0.103:33603 <-> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/89 bytes <-> 1 pkts/209 bytes][Host: igcdn-photos-a-a.akamaihd.net] + 26 TCP 192.168.0.103:38817 <-> 46.33.70.160:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 27 TCP 192.168.0.103:57966 <-> 82.85.26.185:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] 28 TCP 192.168.0.103:58690 -> 46.33.70.159:443 [proto: 91/SSL][2 pkts/169 bytes -> 0 pkts/0 bytes] - 29 TCP 192.168.0.103:60908 <-> 46.33.70.136:443 [proto: 91.211/SSL.Instagram][10 pkts/1369 bytes <-> 9 pkts/7971 bytes][client: igcdn-photos-g-a.akamaihd.net][server: a248.e.akamai.net] - 30 TCP 192.168.0.103:57965 <-> 82.85.26.185:80 [proto: 7.211/HTTP.Instagram][4 pkts/559 bytes <-> 3 pkts/3456 bytes][Host: photos-f.ak.instagram.com] - 31 TCP 192.168.0.103:58053 -> 82.85.26.162:80 [proto: 7.211/HTTP.Instagram][1 pkts/321 bytes -> 0 pkts/0 bytes][Host: photos-g.ak.instagram.com] + 29 UDP 192.168.0.106:17500 -> 192.168.0.255:17500 [proto: 121/Dropbox][1 pkts/145 bytes -> 0 pkts/0 bytes] + 30 TCP 46.33.70.150:80 <-> 192.168.0.103:40855 [proto: 7/HTTP][1 pkts/74 bytes <-> 1 pkts/66 bytes] + 31 UDP 192.168.0.103:27124 -> 8.8.8.8:53 [proto: 5.211/DNS.Instagram][1 pkts/85 bytes -> 0 pkts/0 bytes][Host: photos-b.ak.instagram.com] Undetected flows: diff --git a/tests/result/KakaoTalk_chat.pcap.out b/tests/result/KakaoTalk_chat.pcap.out index cdc055e8c..89a19fea5 100644 --- a/tests/result/KakaoTalk_chat.pcap.out +++ b/tests/result/KakaoTalk_chat.pcap.out @@ -8,41 +8,41 @@ HTTP_Proxy 26 3926 1 Amazon 2 181 1 KakaoTalk 55 9990 15 - 1 UDP 10.24.82.188:56820 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-c.talk.kakao.com] - 2 UDP 10.24.82.188:57816 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/78 bytes <-> 1 pkts/166 bytes][Host: katalk.kakao.com] - 3 UDP 10.24.82.188:58810 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: item.kakao.com] - 4 TCP 120.28.26.242:80 -> 10.24.82.188:34503 [proto: 7/HTTP][1 pkts/56 bytes -> 0 pkts/0 bytes] - 5 ICMP 10.24.82.188:0 -> 10.188.191.1:0 [proto: 81/ICMP][1 pkts/147 bytes -> 0 pkts/0 bytes] - 6 UDP 10.24.82.188:4017 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][1 pkts/85 bytes <-> 1 pkts/144 bytes][Host: developers.facebook.com] - 7 UDP 10.24.82.188:5929 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-p.talk.kakao.com] - 8 TCP 10.24.82.188:58927 -> 54.255.253.199:5223 [proto: 178/Amazon][2 pkts/181 bytes -> 0 pkts/0 bytes] - 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][17 pkts/2231 bytes <-> 9 pkts/1695 bytes] - 10 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][server: *.kakao.com] - 11 UDP 10.24.82.188:25117 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/82 bytes <-> 1 pkts/126 bytes][Host: up-gp.talk.kakao.com] - 12 UDP 10.24.82.188:29029 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-a.talk.kakao.com] - 13 UDP 10.24.82.188:35603 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/79 bytes <-> 1 pkts/136 bytes][Host: ac-talk.kakao.com] - 14 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com] - 15 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com] - 16 UDP 10.24.82.188:41909 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/84 bytes <-> 1 pkts/130 bytes][Host: booking.loco.kakao.com] - 17 UDP 10.24.82.188:43077 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/97 bytes][Host: dn-l.talk.kakao.com] - 18 UDP 10.24.82.188:61011 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] - 19 UDP 10.24.82.188:61011 <-> 10.188.191.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] - 20 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91/SSL][3 pkts/290 bytes <-> 3 pkts/1600 bytes][server: *.push.samsungosp.com] - 21 UDP 10.24.82.188:9094 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-v.talk.kakao.com] - 22 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][server: *.facebook.com] - 23 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][server: *.facebook.com] - 24 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][9 pkts/1737 bytes <-> 9 pkts/672 bytes] + 1 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][client: graph.facebook.com][server: *.facebook.com] + 2 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][client: developers.facebook.com][server: *.facebook.com] + 3 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][client: api.facebook.com][server: *.facebook.com] + 4 TCP 10.24.82.188:35503 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][20 pkts/2849 bytes <-> 18 pkts/4742 bytes][server: *.facebook.com] + 5 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][server: *.facebook.com] + 6 TCP 10.24.82.188:35511 <-> 173.252.97.2:443 [proto: 91.119/SSL.Facebook][18 pkts/2390 bytes <-> 18 pkts/4762 bytes][server: *.facebook.com] + 7 TCP 10.24.82.188:37821 <-> 210.103.240.15:443 [proto: 91.193/SSL.KakaoTalk][13 pkts/2036 bytes <-> 14 pkts/5090 bytes][server: *.kakao.com] + 8 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][17 pkts/2231 bytes <-> 9 pkts/1695 bytes] + 9 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][9 pkts/1737 bytes <-> 9 pkts/672 bytes] + 10 TCP 10.24.82.188:58964 <-> 54.255.253.199:5223 [proto: 91/SSL][3 pkts/290 bytes <-> 3 pkts/1600 bytes][server: *.push.samsungosp.com] + 11 TCP 10.24.82.188:37557 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][5 pkts/487 bytes <-> 6 pkts/627 bytes][Host: www.facebook.com] + 12 TCP 10.24.82.188:37553 <-> 31.13.68.84:80 [proto: 7.119/HTTP.Facebook][5 pkts/487 bytes <-> 5 pkts/571 bytes][Host: www.facebook.com] + 13 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][7 pkts/392 bytes <-> 7 pkts/392 bytes] + 14 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/SSL][2 pkts/112 bytes <-> 3 pkts/168 bytes] + 15 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/SSL.Facebook][2 pkts/139 bytes <-> 2 pkts/112 bytes] + 16 UDP 10.24.82.188:57816 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/78 bytes <-> 1 pkts/166 bytes][Host: katalk.kakao.com] + 17 UDP 10.24.82.188:4017 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][1 pkts/85 bytes <-> 1 pkts/144 bytes][Host: developers.facebook.com] + 18 UDP 10.24.82.188:19582 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][1 pkts/80 bytes <-> 1 pkts/138 bytes][Host: graph.facebook.com] + 19 UDP 10.24.82.188:14650 <-> 10.188.1.1:53 [proto: 5/DNS][1 pkts/87 bytes <-> 1 pkts/130 bytes][Host: 2.97.252.173.in-addr.arpa] + 20 UDP 10.24.82.188:35603 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/79 bytes <-> 1 pkts/136 bytes][Host: ac-talk.kakao.com] + 21 UDP 10.24.82.188:41909 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/84 bytes <-> 1 pkts/130 bytes][Host: booking.loco.kakao.com] + 22 UDP 10.24.82.188:25117 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/82 bytes <-> 1 pkts/126 bytes][Host: up-gp.talk.kakao.com] + 23 UDP 10.24.82.188:9094 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-v.talk.kakao.com] + 24 UDP 10.24.82.188:29029 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-a.talk.kakao.com] 25 UDP 10.24.82.188:12908 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-m.talk.kakao.com] - 26 TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 126/Google][1 pkts/164 bytes -> 0 pkts/0 bytes] - 27 UDP 10.24.82.188:14650 <-> 10.188.1.1:53 [proto: 5/DNS][1 pkts/87 bytes <-> 1 pkts/130 bytes][Host: 2.97.252.173.in-addr.arpa] - 28 UDP 10.24.82.188:19582 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][1 pkts/80 bytes <-> 1 pkts/138 bytes][Host: graph.facebook.com] - 29 TCP 216.58.221.10:80 <-> 10.24.82.188:35922 [proto: 7.126/HTTP.Google][7 pkts/392 bytes <-> 7 pkts/392 bytes] + 26 UDP 10.24.82.188:5929 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-p.talk.kakao.com] + 27 UDP 10.24.82.188:56820 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/124 bytes][Host: up-c.talk.kakao.com] + 28 UDP 10.24.82.188:61011 <-> 10.188.191.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] + 29 UDP 10.24.82.188:61011 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/119 bytes][Host: plus-talk.kakao.com] 30 UDP 10.24.82.188:24596 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][1 pkts/78 bytes <-> 1 pkts/118 bytes][Host: api.facebook.com] - 31 TCP 10.24.82.188:42332 <-> 210.103.240.15:443 [proto: 91/SSL][2 pkts/112 bytes <-> 3 pkts/168 bytes] - 32 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][1 pkts/83 bytes -> 0 pkts/0 bytes] - 33 UDP 10.24.82.188:38448 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: auth.kakao.com] - 34 TCP 10.24.82.188:43581 <-> 31.13.68.70:443 [proto: 91.119/SSL.Facebook][17 pkts/3461 bytes <-> 17 pkts/6194 bytes][client: graph.facebook.com][server: *.facebook.com] - 35 TCP 10.24.82.188:45209 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][10 pkts/2584 bytes <-> 9 pkts/5123 bytes][client: api.facebook.com][server: *.facebook.com] - 36 TCP 10.24.82.188:45211 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][14 pkts/2575 bytes <-> 15 pkts/6502 bytes][client: developers.facebook.com][server: *.facebook.com] - 37 TCP 10.24.82.188:45213 <-> 31.13.68.84:443 [proto: 91.119/SSL.Facebook][15 pkts/2508 bytes <-> 13 pkts/5053 bytes][server: *.facebook.com] - 38 TCP 31.13.68.73:443 <-> 10.24.82.188:47007 [proto: 91.119/SSL.Facebook][2 pkts/139 bytes <-> 2 pkts/112 bytes] + 31 UDP 10.24.82.188:58810 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: item.kakao.com] + 32 UDP 10.24.82.188:38448 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/76 bytes <-> 1 pkts/114 bytes][Host: auth.kakao.com] + 33 TCP 10.24.82.188:58927 -> 54.255.253.199:5223 [proto: 178/Amazon][2 pkts/181 bytes -> 0 pkts/0 bytes] + 34 UDP 10.24.82.188:43077 <-> 10.188.1.1:53 [proto: 5.193/DNS.KakaoTalk][1 pkts/81 bytes <-> 1 pkts/97 bytes][Host: dn-l.talk.kakao.com] + 35 TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 126/Google][1 pkts/164 bytes -> 0 pkts/0 bytes] + 36 ICMP 10.24.82.188:0 -> 10.188.191.1:0 [proto: 81/ICMP][1 pkts/147 bytes -> 0 pkts/0 bytes] + 37 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][1 pkts/83 bytes -> 0 pkts/0 bytes] + 38 TCP 120.28.26.242:80 -> 10.24.82.188:34503 [proto: 7/HTTP][1 pkts/56 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/KakaoTalk_talk.pcap.out b/tests/result/KakaoTalk_talk.pcap.out index c01c64475..8d4ec7074 100644 --- a/tests/result/KakaoTalk_talk.pcap.out +++ b/tests/result/KakaoTalk_talk.pcap.out @@ -10,23 +10,23 @@ Tor 40 10538 1 Amazon 4 396 1 KakaoTalk_Voice 44 6196 2 - 1 TCP 120.28.26.242:80 <-> 10.24.82.188:34533 [proto: 7/HTTP][3 pkts/168 bytes <-> 2 pkts/112 bytes] - 2 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 178/Amazon][2 pkts/225 bytes <-> 2 pkts/171 bytes] - 3 TCP 173.194.117.229:443 -> 10.24.82.188:38380 [proto: 91.126/SSL.Google][1 pkts/56 bytes -> 0 pkts/0 bytes] - 4 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][6 pkts/543 bytes <-> 5 pkts/945 bytes] - 5 UDP 10.24.82.188:25223 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][1 pkts/79 bytes <-> 1 pkts/118 bytes][Host: mqtt.facebook.com] - 6 TCP 173.252.88.128:443 -> 10.24.82.188:59912 [proto: 91.119/SSL.Facebook][2 pkts/124 bytes -> 0 pkts/0 bytes] - 7 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 64/SSL_No_Cert][15 pkts/2932 bytes <-> 14 pkts/1092 bytes] - 8 TCP 10.24.82.188:53974 -> 203.205.151.233:8080 [proto: 131/HTTP_Proxy][5 pkts/350 bytes -> 0 pkts/0 bytes] - 9 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 64/SSL_No_Cert][23 pkts/4380 bytes <-> 22 pkts/5728 bytes] + 1 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][757 pkts/106335 bytes <-> 746 pkts/93906 bytes] + 2 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][746 pkts/93906 bytes <-> 742 pkts/104604 bytes] + 3 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 163/Tor][22 pkts/5326 bytes <-> 18 pkts/5212 bytes] + 4 TCP 10.24.82.188:32968 <-> 110.76.143.50:8080 [proto: 64/SSL_No_Cert][23 pkts/4380 bytes <-> 22 pkts/5728 bytes] + 5 TCP 10.24.82.188:59954 <-> 173.252.88.128:443 [proto: 64/SSL_No_Cert][15 pkts/2932 bytes <-> 14 pkts/1092 bytes] + 6 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][12 pkts/1692 bytes <-> 10 pkts/1420 bytes] + 7 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][11 pkts/1542 bytes <-> 11 pkts/1542 bytes] + 8 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Host: hkminorshort.weixin.qq.com] + 9 TCP 10.24.82.188:51021 <-> 103.246.57.251:8080 [proto: 131/HTTP_Proxy][6 pkts/543 bytes <-> 5 pkts/945 bytes] 10 TCP 139.150.0.125:443 <-> 10.24.82.188:46947 [proto: 91/SSL][3 pkts/1044 bytes <-> 2 pkts/154 bytes] - 11 TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 126/Google][1 pkts/164 bytes -> 0 pkts/0 bytes] - 12 TCP 10.24.82.188:58857 <-> 110.76.143.50:9001 [proto: 163/Tor][22 pkts/5326 bytes <-> 18 pkts/5212 bytes] - 13 TCP 173.252.122.1:443 -> 10.24.82.188:52123 [proto: 91.119/SSL.Facebook][1 pkts/56 bytes -> 0 pkts/0 bytes] - 14 TCP 10.24.82.188:48489 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][8 pkts/1117 bytes <-> 7 pkts/610 bytes][Host: hkminorshort.weixin.qq.com] - 15 UDP 10.24.82.188:10269 <-> 1.201.1.174:23047 [proto: 194/KakaoTalk_Voice][12 pkts/1692 bytes <-> 10 pkts/1420 bytes] - 16 UDP 10.24.82.188:10268 <-> 1.201.1.174:23046 [proto: 87/RTP][746 pkts/93906 bytes <-> 742 pkts/104604 bytes] - 17 UDP 10.24.82.188:11321 <-> 1.201.1.174:23045 [proto: 194/KakaoTalk_Voice][11 pkts/1542 bytes <-> 11 pkts/1542 bytes] - 18 UDP 10.24.82.188:11320 <-> 1.201.1.174:23044 [proto: 87/RTP][757 pkts/106335 bytes <-> 746 pkts/93906 bytes] - 19 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][1 pkts/83 bytes -> 0 pkts/0 bytes] + 11 TCP 10.24.82.188:58916 <-> 54.255.185.236:5222 [proto: 178/Amazon][2 pkts/225 bytes <-> 2 pkts/171 bytes] + 12 TCP 10.24.82.188:53974 -> 203.205.151.233:8080 [proto: 131/HTTP_Proxy][5 pkts/350 bytes -> 0 pkts/0 bytes] + 13 TCP 120.28.26.242:80 <-> 10.24.82.188:34533 [proto: 7/HTTP][3 pkts/168 bytes <-> 2 pkts/112 bytes] + 14 UDP 10.24.82.188:25223 <-> 10.188.1.1:53 [proto: 5.119/DNS.Facebook][1 pkts/79 bytes <-> 1 pkts/118 bytes][Host: mqtt.facebook.com] + 15 TCP 10.24.82.188:34686 -> 173.194.72.188:5228 [proto: 126/Google][1 pkts/164 bytes -> 0 pkts/0 bytes] + 16 TCP 173.252.88.128:443 -> 10.24.82.188:59912 [proto: 91.119/SSL.Facebook][2 pkts/124 bytes -> 0 pkts/0 bytes] + 17 TCP 10.24.82.188:49217 -> 216.58.220.174:443 [proto: 91.126/SSL.Google][1 pkts/83 bytes -> 0 pkts/0 bytes] + 18 TCP 173.252.122.1:443 -> 10.24.82.188:52123 [proto: 91.119/SSL.Facebook][1 pkts/56 bytes -> 0 pkts/0 bytes] + 19 TCP 173.194.117.229:443 -> 10.24.82.188:38380 [proto: 91.126/SSL.Google][1 pkts/56 bytes -> 0 pkts/0 bytes] 20 TCP 216.58.220.161:443 -> 10.24.82.188:56697 [proto: 91.126/SSL.Google][1 pkts/56 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/Viber_session.pcap.out b/tests/result/Viber_session.pcap.out index 88d9589a3..679865a83 100644 --- a/tests/result/Viber_session.pcap.out +++ b/tests/result/Viber_session.pcap.out @@ -11,44 +11,44 @@ WhatsApp 5 412 1 Viber 4163 392492 4 Amazon 1 66 1 - 1 TCP 192.168.200.222:57999 <-> 74.125.130.188:5228 [proto: 126/Google][5 pkts/389 bytes <-> 5 pkts/368 bytes] - 2 TCP 192.168.200.222:59011 <-> 74.125.130.188:5228 [proto: 126/Google][5 pkts/428 bytes <-> 4 pkts/264 bytes] - 3 TCP 192.168.200.222:60828 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 4 TCP 192.168.200.222:44058 <-> 158.85.58.23:443 [proto: 91.142/SSL.WhatsApp][2 pkts/157 bytes <-> 3 pkts/255 bytes] - 5 TCP 222.165.163.117:443 <-> 192.168.200.222:47424 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] - 6 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][14 pkts/1058 bytes <-> 9 pkts/2287 bytes] - 7 TCP 216.58.199.206:443 <-> 192.168.200.222:58663 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 8 TCP 192.168.200.222:38778 -> 54.251.141.219:80 [proto: 7.178/HTTP.Amazon][1 pkts/66 bytes -> 0 pkts/0 bytes] - 9 TCP 192.168.200.222:39339 <-> 54.169.63.186:443 [proto: 91.144/SSL.Viber][4 pkts/272 bytes <-> 2 pkts/140 bytes] - 10 TCP 192.168.200.222:33161 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 11 TCP 192.168.200.222:52491 <-> 31.13.79.245:443 [proto: 91.119/SSL.Facebook][3 pkts/250 bytes <-> 3 pkts/349 bytes] - 12 TCP 192.168.200.222:36675 -> 112.124.219.82:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 13 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][15 pkts/1329 bytes <-> 9 pkts/750 bytes] - 14 TCP 192.168.200.222:46761 <-> 112.124.219.93:80 [proto: 7/HTTP][4 pkts/254 bytes <-> 3 pkts/182 bytes] - 15 TCP 192.168.200.222:52977 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 16 TCP 222.165.163.93:443 <-> 192.168.200.222:52635 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] - 17 TCP 222.165.163.93:443 <-> 192.168.200.222:52641 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] - 18 TCP 222.165.163.91:443 <-> 192.168.200.222:56243 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] - 19 ICMP 192.168.200.222:0 -> 192.168.1.1:0 [proto: 81/ICMP][2 pkts/196 bytes -> 0 pkts/0 bytes] - 20 TCP 74.125.68.239:443 <-> 192.168.200.222:37376 [proto: 91.126/SSL.Google][2 pkts/195 bytes <-> 3 pkts/229 bytes] - 21 TCP 192.168.200.222:43287 <-> 52.0.253.46:443 [proto: 64/SSL_No_Cert][21 pkts/2257 bytes <-> 13 pkts/1884 bytes] - 22 TCP 192.168.200.222:51146 <-> 23.21.254.189:443 [proto: 91/SSL][11 pkts/1043 bytes <-> 4 pkts/441 bytes][client: e.crashlytics.com] - 23 TCP 192.168.200.222:43454 <-> 52.0.253.46:4244 [proto: 144/Viber][7 pkts/689 bytes <-> 5 pkts/472 bytes] - 24 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][15 pkts/1318 bytes <-> 6 pkts/573 bytes][client: mail.google.com] - 25 TCP 192.168.200.222:43646 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 26 TCP 192.168.200.222:40005 <-> 108.168.176.234:443 [proto: 91/SSL][12 pkts/1116 bytes <-> 12 pkts/1732 bytes] - 27 UDP 192.168.200.222:48564 <-> 54.169.63.186:7987 [proto: 144/Viber][1 pkts/76 bytes <-> 1 pkts/62 bytes] - 28 UDP 192.168.200.222:48564 <-> 54.169.63.186:7985 [proto: 144/Viber][2835 pkts/280455 bytes <-> 1308 pkts/110326 bytes] + 1 UDP 192.168.200.222:48564 <-> 54.169.63.186:7985 [proto: 144/Viber][2835 pkts/280455 bytes <-> 1308 pkts/110326 bytes] + 2 TCP 192.168.200.222:43287 <-> 52.0.253.46:443 [proto: 64/SSL_No_Cert][21 pkts/2257 bytes <-> 13 pkts/1884 bytes] + 3 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][14 pkts/1058 bytes <-> 9 pkts/2287 bytes] + 4 TCP 192.168.200.222:40005 <-> 108.168.176.234:443 [proto: 91/SSL][12 pkts/1116 bytes <-> 12 pkts/1732 bytes] + 5 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][15 pkts/1329 bytes <-> 9 pkts/750 bytes] + 6 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][15 pkts/1318 bytes <-> 6 pkts/573 bytes][client: mail.google.com] + 7 TCP 192.168.200.222:51146 <-> 23.21.254.189:443 [proto: 91/SSL][11 pkts/1043 bytes <-> 4 pkts/441 bytes][client: e.crashlytics.com] + 8 TCP 192.168.200.222:52269 <-> 107.22.192.179:443 [proto: 91/SSL][12 pkts/1116 bytes <-> 4 pkts/303 bytes][client: settings.crashlytics.com] + 9 TCP 192.168.200.222:43454 <-> 52.0.253.46:4244 [proto: 144/Viber][7 pkts/689 bytes <-> 5 pkts/472 bytes] + 10 TCP 192.168.200.222:57999 <-> 74.125.130.188:5228 [proto: 126/Google][5 pkts/389 bytes <-> 5 pkts/368 bytes] + 11 TCP 192.168.200.222:59011 <-> 74.125.130.188:5228 [proto: 126/Google][5 pkts/428 bytes <-> 4 pkts/264 bytes] + 12 TCP 192.168.200.222:52491 <-> 31.13.79.245:443 [proto: 91.119/SSL.Facebook][3 pkts/250 bytes <-> 3 pkts/349 bytes] + 13 TCP 192.168.200.222:46761 <-> 112.124.219.93:80 [proto: 7/HTTP][4 pkts/254 bytes <-> 3 pkts/182 bytes] + 14 TCP 74.125.68.239:443 <-> 192.168.200.222:37376 [proto: 91.126/SSL.Google][2 pkts/195 bytes <-> 3 pkts/229 bytes] + 15 TCP 192.168.200.222:44058 <-> 158.85.58.23:443 [proto: 91.142/SSL.WhatsApp][2 pkts/157 bytes <-> 3 pkts/255 bytes] + 16 TCP 192.168.200.222:39339 <-> 54.169.63.186:443 [proto: 91.144/SSL.Viber][4 pkts/272 bytes <-> 2 pkts/140 bytes] + 17 TCP 222.165.163.91:443 <-> 192.168.200.222:56243 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] + 18 TCP 222.165.163.117:443 <-> 192.168.200.222:47424 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] + 19 TCP 222.165.163.93:443 <-> 192.168.200.222:52641 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] + 20 TCP 222.165.163.93:443 <-> 192.168.200.222:52635 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] + 21 ICMP 192.168.200.222:0 -> 192.168.1.1:0 [proto: 81/ICMP][2 pkts/196 bytes -> 0 pkts/0 bytes] + 22 UDP 192.168.200.222:48564 <-> 54.169.63.186:7987 [proto: 144/Viber][1 pkts/76 bytes <-> 1 pkts/62 bytes] + 23 TCP 216.58.199.206:443 <-> 192.168.200.222:58663 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 24 TCP 192.168.200.222:51765 -> 108.160.172.205:443 [proto: 91.121/SSL.Dropbox][1 pkts/97 bytes -> 0 pkts/0 bytes] + 25 TCP 192.168.200.222:38778 -> 54.251.141.219:80 [proto: 7.178/HTTP.Amazon][1 pkts/66 bytes -> 0 pkts/0 bytes] + 26 TCP 192.168.200.222:43646 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 27 TCP 192.168.200.222:52977 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 28 TCP 192.168.200.222:60828 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] 29 TCP 192.168.200.222:50854 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 30 TCP 192.168.200.222:51765 -> 108.160.172.205:443 [proto: 91.121/SSL.Dropbox][1 pkts/97 bytes -> 0 pkts/0 bytes] - 31 TCP 192.168.200.222:52269 <-> 107.22.192.179:443 [proto: 91/SSL][12 pkts/1116 bytes <-> 4 pkts/303 bytes][client: settings.crashlytics.com] + 30 TCP 192.168.200.222:36675 -> 112.124.219.82:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 31 TCP 192.168.200.222:33161 -> 93.184.221.200:80 [proto: 7/HTTP][1 pkts/60 bytes -> 0 pkts/0 bytes] Undetected flows: - 1 TCP 192.168.200.222:55554 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/276 bytes <-> 2 pkts/170 bytes] + 1 UDP 192.168.200.222:48564 -> 175.157.52.135:37300 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] 2 UDP 192.168.200.222:48564 -> 175.157.52.135:37299 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] 3 UDP 192.168.200.222:48564 -> 175.157.52.135:37301 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] - 4 TCP 192.168.200.222:55565 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/341 bytes <-> 3 pkts/208 bytes] + 4 UDP 192.168.200.222:48564 -> 175.157.52.135:37302 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] 5 UDP 192.168.200.222:48564 -> 10.216.246.82:59027 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] - 6 UDP 192.168.200.222:48564 -> 175.157.52.135:37300 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] - 7 UDP 192.168.200.222:48564 -> 175.157.52.135:37302 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] + 6 TCP 192.168.200.222:55565 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/341 bytes <-> 3 pkts/208 bytes] + 7 TCP 192.168.200.222:55554 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/276 bytes <-> 2 pkts/170 bytes] diff --git a/tests/result/bittorrent.pcap.out b/tests/result/bittorrent.pcap.out index 99ffd9a8b..2fa8b8679 100644 --- a/tests/result/bittorrent.pcap.out +++ b/tests/result/bittorrent.pcap.out @@ -1,26 +1,26 @@ BitTorrent 299 305728 24 - 1 TCP 192.168.1.3:52908 -> 79.55.129.22:12097 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 2 TCP 192.168.1.3:52896 <-> 79.53.228.2:14627 [proto: 37/BitTorrent][3 pkts/409 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 3 TCP 192.168.1.3:52922 <-> 95.237.193.34:11321 [proto: 37/BitTorrent][3 pkts/434 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 4 TCP 192.168.1.3:52925 -> 93.65.227.100:19116 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 5 TCP 192.168.1.3:52907 <-> 82.58.216.115:38305 [proto: 37/BitTorrent][2 pkts/583 bytes <-> 2 pkts/818 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 1 TCP 192.168.1.3:52915 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][17 pkts/2745 bytes <-> 193 pkts/282394 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 2 TCP 192.168.1.3:52895 <-> 83.216.184.241:51413 [proto: 37/BitTorrent][4 pkts/583 bytes <-> 4 pkts/975 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 3 TCP 192.168.1.3:52914 <-> 190.103.195.56:46633 [proto: 37/BitTorrent][4 pkts/640 bytes <-> 3 pkts/910 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 4 TCP 192.168.1.3:52907 <-> 82.58.216.115:38305 [proto: 37/BitTorrent][2 pkts/583 bytes <-> 2 pkts/818 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 5 TCP 192.168.1.3:52927 <-> 83.216.184.241:51413 [proto: 37/BitTorrent][3 pkts/582 bytes <-> 2 pkts/796 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] 6 TCP 192.168.1.3:52897 <-> 151.26.95.30:22673 [proto: 37/BitTorrent][3 pkts/510 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 7 TCP 192.168.1.3:52911 <-> 151.26.95.30:22673 [proto: 37/BitTorrent][3 pkts/442 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 8 TCP 192.168.1.3:52921 <-> 95.234.159.16:41205 [proto: 37/BitTorrent][3 pkts/440 bytes <-> 2 pkts/772 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 9 TCP 192.168.1.3:52894 -> 120.62.33.241:39332 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 10 TCP 192.168.1.3:52910 -> 120.62.33.241:39332 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 11 TCP 192.168.1.3:52895 <-> 83.216.184.241:51413 [proto: 37/BitTorrent][4 pkts/583 bytes <-> 4 pkts/975 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 12 TCP 192.168.1.3:52927 <-> 83.216.184.241:51413 [proto: 37/BitTorrent][3 pkts/582 bytes <-> 2 pkts/796 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 13 TCP 192.168.1.3:52906 <-> 82.57.97.83:53137 [proto: 37/BitTorrent][3 pkts/434 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 14 TCP 192.168.1.3:52902 <-> 190.103.195.56:46633 [proto: 37/BitTorrent][2 pkts/349 bytes <-> 2 pkts/265 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 15 TCP 192.168.1.3:52914 <-> 190.103.195.56:46633 [proto: 37/BitTorrent][4 pkts/640 bytes <-> 3 pkts/910 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 16 TCP 192.168.1.3:52893 -> 79.55.129.22:12097 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 17 TCP 192.168.1.3:52912 <-> 151.72.255.163:59928 [proto: 37/BitTorrent][3 pkts/455 bytes <-> 1 pkts/157 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 18 TCP 192.168.1.3:52909 -> 79.53.228.2:14627 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 19 TCP 192.168.1.3:52903 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][3 pkts/410 bytes <-> 3 pkts/851 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 20 TCP 192.168.1.3:52915 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][17 pkts/2745 bytes <-> 193 pkts/282394 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 21 TCP 192.168.1.3:52926 <-> 93.65.249.100:31336 [proto: 37/BitTorrent][1 pkts/134 bytes <-> 2 pkts/796 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 22 TCP 192.168.1.3:52888 <-> 82.58.216.115:38305 [proto: 37/BitTorrent][1 pkts/134 bytes <-> 1 pkts/624 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 23 TCP 192.168.1.3:52887 <-> 82.57.97.83:53137 [proto: 37/BitTorrent][3 pkts/430 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] - 24 TCP 192.168.1.3:52917 <-> 151.15.48.189:47001 [proto: 37/BitTorrent][3 pkts/455 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 7 TCP 192.168.1.3:52903 <-> 198.100.146.9:60163 [proto: 37/BitTorrent][3 pkts/410 bytes <-> 3 pkts/851 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 8 TCP 192.168.1.3:52917 <-> 151.15.48.189:47001 [proto: 37/BitTorrent][3 pkts/455 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 9 TCP 192.168.1.3:52911 <-> 151.26.95.30:22673 [proto: 37/BitTorrent][3 pkts/442 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 10 TCP 192.168.1.3:52921 <-> 95.234.159.16:41205 [proto: 37/BitTorrent][3 pkts/440 bytes <-> 2 pkts/772 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 11 TCP 192.168.1.3:52922 <-> 95.237.193.34:11321 [proto: 37/BitTorrent][3 pkts/434 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 12 TCP 192.168.1.3:52906 <-> 82.57.97.83:53137 [proto: 37/BitTorrent][3 pkts/434 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 13 TCP 192.168.1.3:52887 <-> 82.57.97.83:53137 [proto: 37/BitTorrent][3 pkts/430 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 14 TCP 192.168.1.3:52896 <-> 79.53.228.2:14627 [proto: 37/BitTorrent][3 pkts/409 bytes <-> 2 pkts/771 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 15 TCP 192.168.1.3:52926 <-> 93.65.249.100:31336 [proto: 37/BitTorrent][1 pkts/134 bytes <-> 2 pkts/796 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 16 TCP 192.168.1.3:52888 <-> 82.58.216.115:38305 [proto: 37/BitTorrent][1 pkts/134 bytes <-> 1 pkts/624 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 17 TCP 192.168.1.3:52902 <-> 190.103.195.56:46633 [proto: 37/BitTorrent][2 pkts/349 bytes <-> 2 pkts/265 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 18 TCP 192.168.1.3:52912 <-> 151.72.255.163:59928 [proto: 37/BitTorrent][3 pkts/455 bytes <-> 1 pkts/157 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 19 TCP 192.168.1.3:52909 -> 79.53.228.2:14627 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 20 TCP 192.168.1.3:52894 -> 120.62.33.241:39332 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 21 TCP 192.168.1.3:52925 -> 93.65.227.100:19116 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 22 TCP 192.168.1.3:52893 -> 79.55.129.22:12097 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 23 TCP 192.168.1.3:52910 -> 120.62.33.241:39332 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] + 24 TCP 192.168.1.3:52908 -> 79.55.129.22:12097 [proto: 37/BitTorrent][1 pkts/134 bytes -> 0 pkts/0 bytes][BT Hash: dcfcdccfb9e670ccc3dd40c78c161f2bea243126] diff --git a/tests/result/bittorrent_ip.pcap.out b/tests/result/bittorrent_ip.pcap.out index ab6280fb7..5a08d2dee 100644 --- a/tests/result/bittorrent_ip.pcap.out +++ b/tests/result/bittorrent_ip.pcap.out @@ -1,4 +1,4 @@ BitTorrent 479 508018 2 - 1 TCP 185.56.20.36:53646 <-> 10.0.0.14:35030 [proto: 37/BitTorrent][25 pkts/36414 bytes <-> 23 pkts/1518 bytes] - 2 TCP 77.222.174.20:2866 <-> 10.0.0.14:46610 [proto: 37/BitTorrent][305 pkts/461770 bytes <-> 126 pkts/8316 bytes] + 1 TCP 77.222.174.20:2866 <-> 10.0.0.14:46610 [proto: 37/BitTorrent][305 pkts/461770 bytes <-> 126 pkts/8316 bytes] + 2 TCP 185.56.20.36:53646 <-> 10.0.0.14:35030 [proto: 37/BitTorrent][25 pkts/36414 bytes <-> 23 pkts/1518 bytes] diff --git a/tests/result/coap_mqtt.pcap.out b/tests/result/coap_mqtt.pcap.out index b95d26565..979127b46 100644 --- a/tests/result/coap_mqtt.pcap.out +++ b/tests/result/coap_mqtt.pcap.out @@ -2,19 +2,19 @@ COAP 19 1614 8 Dropbox 800 80676 4 MQTT 7695 668291 4 - 1 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61043 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] - 2 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61045 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] - 3 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61047 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/90 bytes -> 0 pkts/0 bytes] - 4 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13960 bytes <-> 100 pkts/6260 bytes] - 5 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13947 bytes <-> 100 pkts/6247 bytes] - 6 TCP 192.168.56.1:53523 <-> 192.168.56.101:17501 [proto: 222/MQTT][918 pkts/76692 bytes <-> 1008 pkts/90434 bytes] - 7 UDP [bbbb::1]:33499 <-> [bbbb::3]:5683 [proto: 27/COAP][2 pkts/147 bytes <-> 2 pkts/257 bytes] - 8 UDP [bbbb::1]:46819 <-> [bbbb::3]:5683 [proto: 27/COAP][3 pkts/262 bytes <-> 3 pkts/205 bytes] - 9 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61044 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] - 10 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61046 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] - 11 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13910 bytes <-> 100 pkts/6210 bytes] - 12 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13921 bytes <-> 100 pkts/6221 bytes] - 13 TCP 192.168.56.1:53522 <-> 192.168.56.101:17501 [proto: 222/MQTT][921 pkts/76872 bytes <-> 1001 pkts/90056 bytes] - 14 TCP 192.168.56.1:53528 <-> 192.168.56.101:17501 [proto: 222/MQTT][924 pkts/77180 bytes <-> 1004 pkts/90329 bytes] - 15 TCP 192.168.56.101:17501 <-> 192.168.56.1:53524 [proto: 222/MQTT][1005 pkts/90274 bytes <-> 914 pkts/76454 bytes] - 16 UDP [bbbb::1]:50250 <-> [bbbb::3]:5683 [proto: 27/COAP][2 pkts/158 bytes <-> 2 pkts/151 bytes] + 1 TCP 192.168.56.1:53528 <-> 192.168.56.101:17501 [proto: 222/MQTT][924 pkts/77180 bytes <-> 1004 pkts/90329 bytes] + 2 TCP 192.168.56.1:53523 <-> 192.168.56.101:17501 [proto: 222/MQTT][918 pkts/76692 bytes <-> 1008 pkts/90434 bytes] + 3 TCP 192.168.56.1:53522 <-> 192.168.56.101:17501 [proto: 222/MQTT][921 pkts/76872 bytes <-> 1001 pkts/90056 bytes] + 4 TCP 192.168.56.101:17501 <-> 192.168.56.1:53524 [proto: 222/MQTT][1005 pkts/90274 bytes <-> 914 pkts/76454 bytes] + 5 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13960 bytes <-> 100 pkts/6260 bytes] + 6 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13947 bytes <-> 100 pkts/6247 bytes] + 7 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13921 bytes <-> 100 pkts/6221 bytes] + 8 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13910 bytes <-> 100 pkts/6210 bytes] + 9 UDP [bbbb::1]:46819 <-> [bbbb::3]:5683 [proto: 27/COAP][3 pkts/262 bytes <-> 3 pkts/205 bytes] + 10 UDP [bbbb::1]:33499 <-> [bbbb::3]:5683 [proto: 27/COAP][2 pkts/147 bytes <-> 2 pkts/257 bytes] + 11 UDP [bbbb::1]:50250 <-> [bbbb::3]:5683 [proto: 27/COAP][2 pkts/158 bytes <-> 2 pkts/151 bytes] + 12 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61047 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/90 bytes -> 0 pkts/0 bytes] + 13 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61046 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] + 14 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61044 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] + 15 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61045 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] + 16 UDP [2001:da8:215:1171:a10b:cb48:8f83:57f6]:61043 -> [2001:620:8:35d9::10]:5683 [proto: 27/COAP][1 pkts/86 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/dnscrypt.pcap.out b/tests/result/dnscrypt.pcap.out index 4ff120315..1ea162680 100644 --- a/tests/result/dnscrypt.pcap.out +++ b/tests/result/dnscrypt.pcap.out @@ -1,6 +1,6 @@ DNScrypt 111 44676 4 - 1 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][8 pkts/780 bytes <-> 10 pkts/7735 bytes][client: simplednscrypt.org] - 2 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][client: simplednscrypt.org] - 3 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][8 pkts/780 bytes <-> 10 pkts/7735 bytes][client: simplednscrypt.org] - 4 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][client: simplednscrypt.org] + 1 TCP 192.168.43.167:50233 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][18 pkts/1788 bytes <-> 21 pkts/14580 bytes][client: simplednscrypt.org] + 2 TCP 192.168.43.167:50259 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][18 pkts/1988 bytes <-> 18 pkts/9290 bytes][client: simplednscrypt.org] + 3 TCP 192.168.43.167:50258 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][8 pkts/780 bytes <-> 10 pkts/7735 bytes][client: simplednscrypt.org] + 4 TCP 192.168.43.167:50253 <-> 134.119.26.24:443 [proto: 91.208/SSL.DNScrypt][8 pkts/780 bytes <-> 10 pkts/7735 bytes][client: simplednscrypt.org] diff --git a/tests/result/dropbox.pcap.out b/tests/result/dropbox.pcap.out index 57b68986f..141e996eb 100644 --- a/tests/result/dropbox.pcap.out +++ b/tests/result/dropbox.pcap.out @@ -2,42 +2,42 @@ MDNS 16 1648 1 SSDP 140 61108 22 Dropbox 1104 246122 16 - 1 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/588 bytes][Host: notify.dropbox.com] - 2 UDP 192.168.1.105:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes -> 0 pkts/0 bytes] - 3 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][18 pkts/3562 bytes <-> 16 pkts/14464 bytes][client: client.dropbox.com][server: *.dropbox.com] - 4 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/312 bytes <-> 4 pkts/1078 bytes][Host: log.getdropbox.com] - 5 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][12 pkts/2338 bytes <-> 10 pkts/9054 bytes][client: notify.dropbox.com][server: *.dropbox.com] - 6 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/146 bytes <-> 2 pkts/646 bytes][Host: d.dropbox.com] - 7 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/666 bytes][Host: client.dropbox.com] - 8 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13960 bytes <-> 100 pkts/6260 bytes] - 9 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13947 bytes <-> 100 pkts/6247 bytes] - 10 UDP 192.168.1.101:1280 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 11 UDP 192.168.1.101:1346 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 12 UDP 192.168.1.101:1650 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 13 UDP 192.168.1.101:1908 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 14 UDP 192.168.1.101:2544 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 15 UDP 192.168.1.101:2604 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 16 UDP 192.168.1.101:3412 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 17 UDP 192.168.1.101:4974 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 18 UDP 192.168.1.105:49112 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/162 bytes <-> 2 pkts/612 bytes][Host: client-cf.dropbox.com] - 19 UDP 192.168.1.105:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes -> 0 pkts/0 bytes] - 20 UDP 192.168.1.254:50828 -> 239.255.255.250:1900 [proto: 12/SSDP][44 pkts/19936 bytes -> 0 pkts/0 bytes] - 21 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13910 bytes <-> 100 pkts/6210 bytes] - 22 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13921 bytes <-> 100 pkts/6221 bytes] - 23 UDP 192.168.1.106:57268 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2632 bytes -> 0 pkts/0 bytes] - 24 TCP 192.168.1.105:44949 <-> 54.240.174.31:443 [proto: 91.121/SSL.Dropbox][64 pkts/12228 bytes <-> 74 pkts/85074 bytes][client: client-cf.dropbox.com][server: client-cf.dropbox.com] - 25 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.Dropbox][10 pkts/2170 bytes <-> 10 pkts/1758 bytes][Host: log.getdropbox.com] - 26 UDP 192.168.1.101:2169 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 27 UDP 192.168.1.101:2141 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 28 UDP 192.168.1.101:2159 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 29 UDP 192.168.1.101:2873 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 30 UDP 192.168.1.101:2991 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 31 UDP 192.168.1.101:3547 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 32 UDP 192.168.1.101:3731 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 33 UDP 192.168.1.101:3777 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] - 34 UDP 192.168.1.101:3959 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 35 UDP 192.168.1.101:4171 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 36 UDP 192.168.1.101:4169 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 37 UDP 192.168.1.106:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][16 pkts/1648 bytes -> 0 pkts/0 bytes] - 38 UDP 192.168.1.101:4625 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] - 39 TCP 192.168.1.105:47747 <-> 108.160.172.225:443 [proto: 91.121/SSL.Dropbox][28 pkts/12486 bytes <-> 26 pkts/14946 bytes][client: d.dropbox.com] + 1 TCP 192.168.1.105:44949 <-> 54.240.174.31:443 [proto: 91.121/SSL.Dropbox][64 pkts/12228 bytes <-> 74 pkts/85074 bytes][client: client-cf.dropbox.com][server: client-cf.dropbox.com] + 2 TCP 192.168.1.105:47747 <-> 108.160.172.225:443 [proto: 91.121/SSL.Dropbox][28 pkts/12486 bytes <-> 26 pkts/14946 bytes][client: d.dropbox.com] + 3 UDP 192.168.56.1:50318 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13960 bytes <-> 100 pkts/6260 bytes] + 4 UDP 192.168.56.1:50312 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13947 bytes <-> 100 pkts/6247 bytes] + 5 UDP 192.168.56.1:50319 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13921 bytes <-> 100 pkts/6221 bytes] + 6 UDP 192.168.56.1:50311 <-> 192.168.56.101:17500 [proto: 121/Dropbox][100 pkts/13910 bytes <-> 100 pkts/6210 bytes] + 7 UDP 192.168.1.254:50828 -> 239.255.255.250:1900 [proto: 12/SSDP][44 pkts/19936 bytes -> 0 pkts/0 bytes] + 8 TCP 192.168.1.105:59975 <-> 108.160.172.204:443 [proto: 91.121/SSL.Dropbox][18 pkts/3562 bytes <-> 16 pkts/14464 bytes][client: client.dropbox.com][server: *.dropbox.com] + 9 TCP 192.168.1.105:46394 <-> 162.125.17.131:443 [proto: 91.121/SSL.Dropbox][12 pkts/2338 bytes <-> 10 pkts/9054 bytes][client: notify.dropbox.com][server: *.dropbox.com] + 10 TCP 192.168.1.105:36226 <-> 108.160.172.195:80 [proto: 7.121/HTTP.Dropbox][10 pkts/2170 bytes <-> 10 pkts/1758 bytes][Host: log.getdropbox.com] + 11 UDP 192.168.1.101:4974 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 12 UDP 192.168.1.101:4169 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 13 UDP 192.168.1.101:2873 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 14 UDP 192.168.1.101:4625 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 15 UDP 192.168.1.101:3959 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 16 UDP 192.168.1.101:3547 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 17 UDP 192.168.1.101:4171 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 18 UDP 192.168.1.101:1650 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 19 UDP 192.168.1.101:2141 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 20 UDP 192.168.1.101:3412 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/2836 bytes -> 0 pkts/0 bytes] + 21 UDP 192.168.1.106:57268 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2632 bytes -> 0 pkts/0 bytes] + 22 UDP 192.168.1.106:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][16 pkts/1648 bytes -> 0 pkts/0 bytes] + 23 UDP 192.168.1.105:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes -> 0 pkts/0 bytes] + 24 UDP 192.168.1.105:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/1422 bytes -> 0 pkts/0 bytes] + 25 UDP 192.168.1.105:36173 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][4 pkts/312 bytes <-> 4 pkts/1078 bytes][Host: log.getdropbox.com] + 26 UDP 192.168.1.101:3777 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 27 UDP 192.168.1.101:2169 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 28 UDP 192.168.1.101:1280 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 29 UDP 192.168.1.101:2544 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 30 UDP 192.168.1.101:1346 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 31 UDP 192.168.1.101:1908 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 32 UDP 192.168.1.101:2604 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 33 UDP 192.168.1.101:2159 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 34 UDP 192.168.1.101:2991 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 35 UDP 192.168.1.101:3731 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/1018 bytes -> 0 pkts/0 bytes] + 36 UDP 192.168.1.105:55407 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/666 bytes][Host: client.dropbox.com] + 37 UDP 192.168.1.105:50789 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/146 bytes <-> 2 pkts/646 bytes][Host: d.dropbox.com] + 38 UDP 192.168.1.105:49112 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/162 bytes <-> 2 pkts/612 bytes][Host: client-cf.dropbox.com] + 39 UDP 192.168.1.105:33189 <-> 192.168.1.254:53 [proto: 5.121/DNS.Dropbox][2 pkts/156 bytes <-> 2 pkts/588 bytes][Host: notify.dropbox.com] diff --git a/tests/result/facebook.pcap.out b/tests/result/facebook.pcap.out index cb7d91585..9cec4a412 100644 --- a/tests/result/facebook.pcap.out +++ b/tests/result/facebook.pcap.out @@ -1,4 +1,4 @@ Facebook 60 30511 2 - 1 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/SSL.Facebook][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][client: facebook.com][server: *.facebook.com] - 2 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/SSL.Facebook][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][client: www.facebook.com] + 1 TCP 192.168.43.18:44614 <-> 31.13.86.36:443 [proto: 91.119/SSL.Facebook][19 pkts/2664 bytes <-> 22 pkts/22102 bytes][client: www.facebook.com] + 2 TCP 192.168.43.18:52066 <-> 66.220.156.68:443 [proto: 91.119/SSL.Facebook][9 pkts/1345 bytes <-> 10 pkts/4400 bytes][client: facebook.com][server: *.facebook.com] diff --git a/tests/result/fix.pcap.out b/tests/result/fix.pcap.out index 66707122e..6e83a3adf 100644 --- a/tests/result/fix.pcap.out +++ b/tests/result/fix.pcap.out @@ -1,14 +1,14 @@ FIX 1261 115514 12 - 1 TCP 8.17.22.31:4000 <-> 192.168.0.20:40918 [proto: 230/FIX][18 pkts/1938 bytes <-> 18 pkts/1358 bytes] - 2 TCP 8.17.22.31:4000 <-> 192.168.0.20:40928 [proto: 230/FIX][4 pkts/342 bytes <-> 2 pkts/303 bytes] - 3 TCP 217.192.86.32:4000 <-> 192.168.0.20:53330 [proto: 230/FIX][6 pkts/456 bytes <-> 5 pkts/551 bytes] - 4 TCP 8.17.22.31:4000 <-> 192.168.0.20:43594 [proto: 230/FIX][111 pkts/16881 bytes <-> 111 pkts/7680 bytes] - 5 TCP 8.17.22.31:4000 <-> 192.168.0.20:47968 [proto: 230/FIX][201 pkts/21246 bytes <-> 200 pkts/13460 bytes] - 6 TCP 8.17.22.31:4000 <-> 192.168.0.20:47952 [proto: 230/FIX][5 pkts/577 bytes <-> 5 pkts/484 bytes] - 7 TCP 8.17.22.31:4000 <-> 192.168.0.20:47962 [proto: 230/FIX][6 pkts/513 bytes <-> 4 pkts/522 bytes] - 8 TCP 208.245.107.3:4000 <-> 192.168.0.20:38652 [proto: 230/FIX][9 pkts/961 bytes <-> 9 pkts/700 bytes] - 9 TCP 208.245.107.3:4000 <-> 192.168.0.20:38646 [proto: 230/FIX][6 pkts/441 bytes <-> 4 pkts/477 bytes] + 1 TCP 208.245.107.3:4000 <-> 192.168.0.20:45578 [proto: 230/FIX][228 pkts/26333 bytes <-> 228 pkts/13920 bytes] + 2 TCP 8.17.22.31:4000 <-> 192.168.0.20:47968 [proto: 230/FIX][201 pkts/21246 bytes <-> 200 pkts/13460 bytes] + 3 TCP 8.17.22.31:4000 <-> 192.168.0.20:43594 [proto: 230/FIX][111 pkts/16881 bytes <-> 111 pkts/7680 bytes] + 4 TCP 208.245.107.3:4000 <-> 192.168.0.20:45584 [proto: 230/FIX][35 pkts/3022 bytes <-> 35 pkts/2342 bytes] + 5 TCP 8.17.22.31:4000 <-> 192.168.0.20:40918 [proto: 230/FIX][18 pkts/1938 bytes <-> 18 pkts/1358 bytes] + 6 TCP 208.245.107.3:4000 <-> 192.168.0.20:38652 [proto: 230/FIX][9 pkts/961 bytes <-> 9 pkts/700 bytes] + 7 TCP 8.17.22.31:4000 <-> 192.168.0.20:47952 [proto: 230/FIX][5 pkts/577 bytes <-> 5 pkts/484 bytes] + 8 TCP 8.17.22.31:4000 <-> 192.168.0.20:47962 [proto: 230/FIX][6 pkts/513 bytes <-> 4 pkts/522 bytes] + 9 TCP 217.192.86.32:4000 <-> 192.168.0.20:53330 [proto: 230/FIX][6 pkts/456 bytes <-> 5 pkts/551 bytes] 10 TCP 208.245.107.3:4000 <-> 192.168.0.20:39094 [proto: 230/FIX][6 pkts/456 bytes <-> 5 pkts/551 bytes] - 11 TCP 208.245.107.3:4000 <-> 192.168.0.20:45578 [proto: 230/FIX][228 pkts/26333 bytes <-> 228 pkts/13920 bytes] - 12 TCP 208.245.107.3:4000 <-> 192.168.0.20:45584 [proto: 230/FIX][35 pkts/3022 bytes <-> 35 pkts/2342 bytes] + 11 TCP 208.245.107.3:4000 <-> 192.168.0.20:38646 [proto: 230/FIX][6 pkts/441 bytes <-> 4 pkts/477 bytes] + 12 TCP 8.17.22.31:4000 <-> 192.168.0.20:40928 [proto: 230/FIX][4 pkts/342 bytes <-> 2 pkts/303 bytes] diff --git a/tests/result/http_ipv6.pcap.out b/tests/result/http_ipv6.pcap.out index c57e7b950..04b03c479 100644 --- a/tests/result/http_ipv6.pcap.out +++ b/tests/result/http_ipv6.pcap.out @@ -4,18 +4,18 @@ Google 62 15977 1 QUIC 3 502 1 ntop 80 36401 4 - 1 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.233/SSL.ntop][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][client: www.ntop.org] - 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.233/SSL.ntop][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][client: www.ntop.org] + 1 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:45931 <-> [2a00:1450:4001:803::1017]:443 [proto: 188.126/QUIC.Google][33 pkts/7741 bytes <-> 29 pkts/8236 bytes][Host: www.google.it] + 2 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.233/SSL.ntop][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][client: www.ntop.org] + 3 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37486 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.233/SSL.ntop][11 pkts/1292 bytes <-> 8 pkts/5722 bytes][client: www.ntop.org] 4 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37494 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.233/SSL.ntop][10 pkts/1206 bytes <-> 8 pkts/5722 bytes][client: www.ntop.org] - 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37506 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.233/SSL.ntop][14 pkts/3969 bytes <-> 12 pkts/11648 bytes][client: www.ntop.org] - 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40526 <-> [2a00:1450:4006:804::200e]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/SSL][7 pkts/860 bytes <-> 7 pkts/1353 bytes] - 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][7 pkts/960 bytes <-> 5 pkts/4227 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] - 9 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][6 pkts/874 bytes <-> 4 pkts/4141 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] + 5 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:37488 <-> [2a03:b0c0:3:d0::70:1001]:443 [proto: 91.233/SSL.ntop][10 pkts/1206 bytes <-> 7 pkts/5636 bytes][client: www.ntop.org] + 6 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53132 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][7 pkts/960 bytes <-> 5 pkts/4227 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] + 7 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:53134 <-> [2a02:26f0:ad:197::236]:443 [proto: 91.119/SSL.Facebook][6 pkts/874 bytes <-> 4 pkts/4141 bytes][client: s-static.ak.facebook.com][server: *.ak.fbcdn.net] + 8 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:41776 <-> [2a00:1450:4001:803::1017]:443 [proto: 91/SSL][7 pkts/860 bytes <-> 7 pkts/1353 bytes] + 9 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][2 pkts/359 bytes <-> 1 pkts/143 bytes] 10 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:58660 <-> [2a00:1450:4006:803::2008]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 11 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:59690 <-> [2a00:1450:4001:803::1012]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 12 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:60124 <-> [2a02:26f0:ad:1a1::eed]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] 13 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40308 <-> [2a03:2880:1010:3f20:face:b00c::25de]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] - 14 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:45931 <-> [2a00:1450:4001:803::1017]:443 [proto: 188.126/QUIC.Google][33 pkts/7741 bytes <-> 29 pkts/8236 bytes][Host: www.google.it] - 15 UDP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:55145 <-> [2a00:1450:400b:c02::5f]:443 [proto: 188/QUIC][2 pkts/359 bytes <-> 1 pkts/143 bytes] + 14 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:40526 <-> [2a00:1450:4006:804::200e]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] + 15 TCP [2a00:d40:1:3:7aac:c0ff:fea7:d4c]:33062 <-> [2a00:1450:400b:c02::9a]:443 [proto: 91/SSL][1 pkts/86 bytes <-> 1 pkts/86 bytes] diff --git a/tests/result/msnms.pcap.out b/tests/result/msnms.pcap.out index 6cb0cd5fa..b07716c2a 100644 --- a/tests/result/msnms.pcap.out +++ b/tests/result/msnms.pcap.out @@ -1,8 +1,8 @@ MSN 364 56503 6 - 1 TCP 192.168.1.14:1176 -> 207.46.108.39:1863 [proto: 68/MSN][13 pkts/2202 bytes -> 0 pkts/0 bytes] - 2 TCP 192.168.1.14:1208 <-> 207.46.108.83:1863 [proto: 68/MSN][43 pkts/7166 bytes <-> 48 pkts/9557 bytes] - 3 TCP 192.168.1.14:1220 <-> 207.46.108.150:1863 [proto: 68/MSN][2 pkts/163 bytes <-> 14 pkts/2737 bytes] + 1 TCP 192.168.1.14:1208 <-> 207.46.108.83:1863 [proto: 68/MSN][43 pkts/7166 bytes <-> 48 pkts/9557 bytes] + 2 TCP 192.168.1.14:1221 <-> 207.46.108.59:1863 [proto: 68/MSN][43 pkts/7062 bytes <-> 40 pkts/7349 bytes] + 3 TCP 192.168.1.14:1217 <-> 207.46.108.41:1863 [proto: 68/MSN][46 pkts/7655 bytes <-> 19 pkts/3761 bytes] 4 TCP 192.168.1.14:1037 <-> 207.46.107.149:1863 [proto: 68/MSN][41 pkts/2425 bytes <-> 55 pkts/6426 bytes] - 5 TCP 192.168.1.14:1217 <-> 207.46.108.41:1863 [proto: 68/MSN][46 pkts/7655 bytes <-> 19 pkts/3761 bytes] - 6 TCP 192.168.1.14:1221 <-> 207.46.108.59:1863 [proto: 68/MSN][43 pkts/7062 bytes <-> 40 pkts/7349 bytes] + 5 TCP 192.168.1.14:1220 <-> 207.46.108.150:1863 [proto: 68/MSN][2 pkts/163 bytes <-> 14 pkts/2737 bytes] + 6 TCP 192.168.1.14:1176 -> 207.46.108.39:1863 [proto: 68/MSN][13 pkts/2202 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/mssql_tds.pcap.out b/tests/result/mssql_tds.pcap.out index 01e00c815..fdc5184dd 100644 --- a/tests/result/mssql_tds.pcap.out +++ b/tests/result/mssql_tds.pcap.out @@ -1,14 +1,14 @@ MsSQL-TDS 38 16260 12 - 1 TCP 10.111.111.111:2222 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/98 bytes <-> 1 pkts/71 bytes] - 2 TCP 10.111.111.111:4444 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/1136 bytes -> 0 pkts/0 bytes] - 3 TCP 10.111.111.111:6666 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][7 pkts/8717 bytes -> 0 pkts/0 bytes] - 4 TCP 10.111.111.111:8888 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/142 bytes -> 0 pkts/0 bytes] - 5 TCP 10.111.111.111:22222 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/322 bytes -> 0 pkts/0 bytes] - 6 TCP 10.111.111.111:1111 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][2 pkts/614 bytes <-> 2 pkts/524 bytes] - 7 TCP 10.111.111.111:3333 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/239 bytes -> 0 pkts/0 bytes] - 8 TCP 10.111.111.111:5555 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][10 pkts/1552 bytes <-> 7 pkts/1521 bytes] - 9 TCP 10.111.111.111:7777 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/425 bytes -> 0 pkts/0 bytes] - 10 TCP 10.111.111.111:9999 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/272 bytes -> 0 pkts/0 bytes] - 11 TCP 10.111.111.111:11111 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/253 bytes -> 0 pkts/0 bytes] - 12 TCP 10.111.111.111:33333 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/374 bytes -> 0 pkts/0 bytes] + 1 TCP 10.111.111.111:6666 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][7 pkts/8717 bytes -> 0 pkts/0 bytes] + 2 TCP 10.111.111.111:5555 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][10 pkts/1552 bytes <-> 7 pkts/1521 bytes] + 3 TCP 10.111.111.111:1111 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][2 pkts/614 bytes <-> 2 pkts/524 bytes] + 4 TCP 10.111.111.111:4444 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/1136 bytes -> 0 pkts/0 bytes] + 5 TCP 10.111.111.111:7777 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/425 bytes -> 0 pkts/0 bytes] + 6 TCP 10.111.111.111:33333 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/374 bytes -> 0 pkts/0 bytes] + 7 TCP 10.111.111.111:22222 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/322 bytes -> 0 pkts/0 bytes] + 8 TCP 10.111.111.111:9999 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/272 bytes -> 0 pkts/0 bytes] + 9 TCP 10.111.111.111:11111 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/253 bytes -> 0 pkts/0 bytes] + 10 TCP 10.111.111.111:3333 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/239 bytes -> 0 pkts/0 bytes] + 11 TCP 10.111.111.111:2222 <-> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/98 bytes <-> 1 pkts/71 bytes] + 12 TCP 10.111.111.111:8888 -> 10.0.0.1:1433 [proto: 114/MsSQL-TDS][1 pkts/142 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/netflix.pcap.out b/tests/result/netflix.pcap.out index bdc64329b..1e57cf28f 100644 --- a/tests/result/netflix.pcap.out +++ b/tests/result/netflix.pcap.out @@ -4,64 +4,64 @@ IGMP 1 60 1 NetFlix 6976 6151821 56 Amazon 2 126 1 - 1 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][40 pkts/3413 bytes <-> 86 pkts/125190 bytes][Host: art-2.nflximg.net] - 2 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][147 pkts/11558 bytes <-> 490 pkts/734346 bytes][Host: tp.akam.nflximg.com] - 3 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Host: art-1.nflximg.net] - 4 UDP 192.168.1.7:51543 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] - 5 UDP 192.168.1.7:51949 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] - 6 UDP 192.168.1.7:52095 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] - 7 UDP 192.168.1.7:52347 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/80 bytes <-> 1 pkts/371 bytes][Host: ios.nccp.netflix.com] - 8 UDP 192.168.1.7:57093 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/81 bytes <-> 1 pkts/113 bytes][Host: a1907.dscg.akamai.net] - 9 UDP 192.168.1.7:57719 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/85 bytes <-> 1 pkts/137 bytes][Host: sha2.san.akam.nflximg.net] - 10 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][21 pkts/1826 bytes <-> 32 pkts/43179 bytes] + 1 TCP 192.168.1.7:53217 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][667 pkts/50462 bytes <-> 1205 pkts/1807875 bytes][Host: 23.246.11.141] + 2 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][502 pkts/40335 bytes <-> 805 pkts/1202445 bytes][Host: 23.246.3.140] + 3 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][293 pkts/23170 bytes <-> 495 pkts/736113 bytes][Host: 23.246.11.133] + 4 TCP 192.168.1.7:53153 <-> 184.25.204.24:80 [proto: 7.133/HTTP.NetFlix][147 pkts/11558 bytes <-> 490 pkts/734346 bytes][Host: tp.akam.nflximg.com] + 5 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/SSL.NetFlix][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][client: art-s.nflximg.net][server: secure.cdn.nflximg.net] + 6 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Host: 23.246.11.141] + 7 TCP 192.168.1.7:53149 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][40 pkts/3413 bytes <-> 86 pkts/125190 bytes][Host: art-2.nflximg.net] + 8 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][client: api-global.netflix.com][server: api.netflix.com] + 9 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 10 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][24 pkts/2040 bytes <-> 34 pkts/45136 bytes] 11 TCP 192.168.1.7:53171 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][21 pkts/1868 bytes <-> 34 pkts/45139 bytes] - 12 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][24 pkts/2041 bytes <-> 25 pkts/30064 bytes] - 13 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][31 pkts/2571 bytes <-> 22 pkts/28042 bytes] - 14 TCP 192.168.1.7:53183 <-> 23.246.3.140:80 [proto: 7.133/HTTP.NetFlix][502 pkts/40335 bytes <-> 805 pkts/1202445 bytes][Host: 23.246.3.140] - 15 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][32 pkts/2572 bytes <-> 23 pkts/26661 bytes] + 12 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Host: art-2.nflximg.net] + 13 TCP 192.168.1.7:53163 <-> 23.246.11.145:80 [proto: 7.133/HTTP.NetFlix][21 pkts/1826 bytes <-> 32 pkts/43179 bytes] + 14 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][client: api-global.netflix.com][server: api.netflix.com] + 15 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Host: art-1.nflximg.net] 16 TCP 192.168.1.7:53179 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][31 pkts/2596 bytes <-> 29 pkts/37544 bytes] - 17 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][34 pkts/2879 bytes <-> 20 pkts/22373 bytes] - 18 TCP 192.168.1.7:53217 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][667 pkts/50462 bytes <-> 1205 pkts/1807875 bytes][Host: 23.246.11.141] - 19 IGMP 192.168.1.7:0 -> 239.255.255.250:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 20 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Host: api-global.netflix.com] - 21 TCP 192.168.1.7:53116 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][75 pkts/31024 bytes <-> 73 pkts/42930 bytes][client: api-global.netflix.com][server: api.netflix.com] - 22 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 23 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][client: api-global.netflix.com][server: api.netflix.com] - 24 TCP 192.168.1.7:53133 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][30 pkts/6328 bytes <-> 39 pkts/37610 bytes][client: api-global.netflix.com][server: api.netflix.com] - 25 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 26 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 27 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][client: api-global.netflix.com] - 28 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 29 TCP 192.168.1.7:53193 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][46 pkts/50218 bytes <-> 25 pkts/7943 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 30 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 31 TCP 192.168.1.7:53148 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][31 pkts/2893 bytes <-> 32 pkts/44112 bytes][Host: art-2.nflximg.net] - 32 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Host: art-2.nflximg.net] - 33 TCP 192.168.1.7:53252 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][12 pkts/1221 bytes <-> 29 pkts/41018 bytes][Host: art-1.nflximg.net] - 34 UDP 192.168.1.7:51622 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] - 35 UDP 192.168.1.7:51728 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/80 bytes <-> 1 pkts/112 bytes][Host: a803.dscg.akamai.net] - 36 UDP 192.168.1.7:52116 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/96 bytes <-> 1 pkts/224 bytes][Host: ichnaea.us-west-2.prodaa.netflix.com] - 37 UDP 192.168.1.7:58102 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/79 bytes <-> 1 pkts/192 bytes][Host: appboot.netflix.com] - 38 UDP 192.168.1.7:59180 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/84 bytes <-> 1 pkts/148 bytes][Host: artwork.akam.nflximg.net] - 39 UDP 192.168.1.7:60962 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/83 bytes <-> 1 pkts/248 bytes][Host: ichnaea.geo.netflix.com] - 40 UDP 192.168.1.7:53776 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2648 bytes -> 0 pkts/0 bytes] - 41 TCP 192.168.1.7:53164 <-> 23.246.10.139:80 [proto: 7.133/HTTP.NetFlix][24 pkts/2040 bytes <-> 34 pkts/45136 bytes] - 42 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][30 pkts/2610 bytes <-> 20 pkts/22422 bytes] - 43 TCP 192.168.1.7:53210 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][293 pkts/23170 bytes <-> 495 pkts/736113 bytes][Host: 23.246.11.133] - 44 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][35 pkts/2920 bytes <-> 19 pkts/22428 bytes] - 45 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][36 pkts/3030 bytes <-> 21 pkts/25455 bytes] - 46 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][30 pkts/2553 bytes <-> 22 pkts/25510 bytes] - 47 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][34 pkts/2864 bytes <-> 21 pkts/25456 bytes] - 48 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][33 pkts/2732 bytes <-> 25 pkts/30064 bytes] - 49 TCP 192.168.1.7:53184 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][75 pkts/6610 bytes <-> 103 pkts/150772 bytes][Host: 23.246.11.141] - 50 TCP 192.168.1.7:52929 -> 52.24.87.6:443 [proto: 91.178/SSL.Amazon][2 pkts/126 bytes -> 0 pkts/0 bytes] - 51 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][client: api-global.netflix.com][server: api.netflix.com] - 52 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][client: api-global.netflix.com] - 53 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][client: api-global.netflix.com][server: api.netflix.com] - 54 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][client: api-global.netflix.com] - 55 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Host: appboot.netflix.com] - 56 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][client: api-global.netflix.com] - 57 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 58 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] - 59 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 60 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] - 61 TCP 192.168.1.7:53141 <-> 104.86.97.179:443 [proto: 91.133/SSL.NetFlix][83 pkts/7225 bytes <-> 147 pkts/202723 bytes][client: art-s.nflximg.net][server: secure.cdn.nflximg.net] + 17 TCP 192.168.1.7:53251 <-> 184.25.204.10:80 [proto: 7.133/HTTP.NetFlix][16 pkts/1558 bytes <-> 25 pkts/33413 bytes][Host: art-1.nflximg.net] + 18 TCP 192.168.1.7:53151 <-> 54.201.191.132:80 [proto: 7.133/HTTP.NetFlix][15 pkts/3626 bytes <-> 26 pkts/29544 bytes][Host: appboot.netflix.com] + 19 TCP 192.168.1.7:53182 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][33 pkts/2732 bytes <-> 25 pkts/30064 bytes] + 20 TCP 192.168.1.7:53173 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][24 pkts/2041 bytes <-> 25 pkts/30064 bytes] + 21 TCP 192.168.1.7:53175 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][31 pkts/2571 bytes <-> 22 pkts/28042 bytes] + 22 TCP 192.168.1.7:53239 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][22 pkts/6384 bytes <-> 26 pkts/23277 bytes][client: api-global.netflix.com][server: api.netflix.com] + 23 TCP 192.168.1.7:53177 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][32 pkts/2572 bytes <-> 23 pkts/26661 bytes] + 24 TCP 192.168.1.7:53176 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][36 pkts/3030 bytes <-> 21 pkts/25455 bytes] + 25 TCP 192.168.1.7:53180 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][34 pkts/2864 bytes <-> 21 pkts/25456 bytes] + 26 TCP 192.168.1.7:53178 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][30 pkts/2553 bytes <-> 22 pkts/25510 bytes] + 27 TCP 192.168.1.7:53203 <-> 52.37.36.252:443 [proto: 91.133/SSL.NetFlix][28 pkts/22704 bytes <-> 17 pkts/5248 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] + 28 TCP 192.168.1.7:53249 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][25 pkts/5934 bytes <-> 27 pkts/19952 bytes][client: api-global.netflix.com] + 29 TCP 192.168.1.7:53174 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][35 pkts/2920 bytes <-> 19 pkts/22428 bytes] + 30 TCP 192.168.1.7:53181 <-> 23.246.11.141:80 [proto: 7.133/HTTP.NetFlix][34 pkts/2879 bytes <-> 20 pkts/22373 bytes] + 31 TCP 192.168.1.7:53172 <-> 23.246.11.133:80 [proto: 7.133/HTTP.NetFlix][30 pkts/2610 bytes <-> 20 pkts/22422 bytes] + 32 TCP 192.168.1.7:53202 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][22 pkts/10686 bytes <-> 16 pkts/7850 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 33 TCP 192.168.1.7:53152 <-> 52.89.39.139:80 [proto: 7.133/HTTP.NetFlix][14 pkts/10001 bytes <-> 13 pkts/6504 bytes][Host: api-global.netflix.com] + 34 TCP 192.168.1.7:53162 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][18 pkts/5661 bytes <-> 13 pkts/9059 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 35 TCP 192.168.1.7:53132 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][22 pkts/6028 bytes <-> 18 pkts/7459 bytes][client: api-global.netflix.com][server: api.netflix.com] + 36 TCP 192.168.1.7:53150 <-> 184.25.204.25:80 [proto: 7.133/HTTP.NetFlix][10 pkts/941 bytes <-> 11 pkts/12318 bytes][Host: art-2.nflximg.net] + 37 TCP 192.168.1.7:53119 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][20 pkts/7639 bytes <-> 16 pkts/5235 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] + 38 TCP 192.168.1.7:53118 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][19 pkts/7588 bytes <-> 15 pkts/5140 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] + 39 TCP 192.168.1.7:53238 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][17 pkts/5528 bytes <-> 14 pkts/5406 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 40 TCP 192.168.1.7:53248 <-> 52.32.22.214:443 [proto: 91.133/SSL.NetFlix][12 pkts/5165 bytes <-> 10 pkts/5074 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 41 TCP 192.168.1.7:53105 <-> 54.69.204.241:443 [proto: 91.133/SSL.NetFlix][21 pkts/3051 bytes <-> 16 pkts/6234 bytes][client: ichnaea.netflix.com][server: customerevents.netflix.com] + 42 TCP 192.168.1.7:53114 <-> 54.191.17.51:443 [proto: 91.133/SSL.NetFlix][14 pkts/3109 bytes <-> 11 pkts/5119 bytes][client: ios.nccp.netflix.com][server: *.nccp.netflix.com] + 43 TCP 192.168.1.7:53134 <-> 52.89.39.139:443 [proto: 91.133/SSL.NetFlix][14 pkts/3548 bytes <-> 11 pkts/4653 bytes][client: api-global.netflix.com] + 44 TCP 192.168.1.7:53115 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][16 pkts/1657 bytes <-> 12 pkts/5005 bytes][client: api-global.netflix.com][server: api.netflix.com] + 45 TCP 192.168.1.7:53250 <-> 52.41.30.5:443 [proto: 91.133/SSL.NetFlix][10 pkts/2830 bytes <-> 7 pkts/2484 bytes][client: api-global.netflix.com] + 46 TCP 192.168.1.7:53117 <-> 52.32.196.36:443 [proto: 91.133/SSL.NetFlix][12 pkts/1294 bytes <-> 8 pkts/1723 bytes][client: api-global.netflix.com] + 47 UDP 192.168.1.7:53776 -> 239.255.255.250:1900 [proto: 12/SSDP][16 pkts/2648 bytes -> 0 pkts/0 bytes] + 48 UDP 192.168.1.7:51622 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] + 49 UDP 192.168.1.7:51543 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][2 pkts/160 bytes <-> 2 pkts/646 bytes][Host: ios.nccp.netflix.com] + 50 UDP 192.168.1.7:52347 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/80 bytes <-> 1 pkts/371 bytes][Host: ios.nccp.netflix.com] + 51 UDP 192.168.1.7:60962 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/83 bytes <-> 1 pkts/248 bytes][Host: ichnaea.geo.netflix.com] + 52 UDP 192.168.1.7:52095 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] + 53 UDP 192.168.1.7:51949 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/97 bytes <-> 1 pkts/225 bytes][Host: api-global.latency.prodaa.netflix.com] + 54 UDP 192.168.1.7:52116 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/96 bytes <-> 1 pkts/224 bytes][Host: ichnaea.us-west-2.prodaa.netflix.com] + 55 UDP 192.168.1.7:58102 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/79 bytes <-> 1 pkts/192 bytes][Host: appboot.netflix.com] + 56 UDP 192.168.1.7:59180 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/84 bytes <-> 1 pkts/148 bytes][Host: artwork.akam.nflximg.net] + 57 UDP 192.168.1.7:57719 <-> 192.168.1.1:53 [proto: 5.133/DNS.NetFlix][1 pkts/85 bytes <-> 1 pkts/137 bytes][Host: sha2.san.akam.nflximg.net] + 58 UDP 192.168.1.7:57093 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/81 bytes <-> 1 pkts/113 bytes][Host: a1907.dscg.akamai.net] + 59 UDP 192.168.1.7:51728 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/80 bytes <-> 1 pkts/112 bytes][Host: a803.dscg.akamai.net] + 60 TCP 192.168.1.7:52929 -> 52.24.87.6:443 [proto: 91.178/SSL.Amazon][2 pkts/126 bytes -> 0 pkts/0 bytes] + 61 IGMP 192.168.1.7:0 -> 239.255.255.250:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/nintendo.pcap.out b/tests/result/nintendo.pcap.out index 149c9bb79..ec8d9b48e 100644 --- a/tests/result/nintendo.pcap.out +++ b/tests/result/nintendo.pcap.out @@ -2,24 +2,24 @@ ICMP 30 2100 2 Nintendo 890 320242 12 Amazon 76 10811 7 - 1 UDP 192.168.12.114:52119 <-> 134.3.248.25:56955 [proto: 173/Nintendo][8 pkts/1040 bytes <-> 7 pkts/922 bytes] - 2 TCP 192.168.12.114:11534 <-> 54.146.242.74:443 [proto: 91.178/SSL.Amazon][1 pkts/54 bytes <-> 1 pkts/54 bytes] - 3 UDP 192.168.12.114:52119 -> 35.158.74.61:33335 [proto: 173/Nintendo][3 pkts/354 bytes -> 0 pkts/0 bytes] - 4 UDP 192.168.12.114:55915 -> 35.158.74.61:33335 [proto: 178/Amazon][3 pkts/318 bytes -> 0 pkts/0 bytes] - 5 UDP 192.168.12.114:52119 -> 52.10.205.177:34343 [proto: 178/Amazon][1 pkts/730 bytes -> 0 pkts/0 bytes] - 6 UDP 192.168.12.114:51035 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][1 pkts/110 bytes <-> 1 pkts/281 bytes][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com] - 7 UDP 192.168.12.114:55915 -> 52.10.205.177:34343 [proto: 178/Amazon][1 pkts/298 bytes -> 0 pkts/0 bytes] - 8 UDP 192.168.12.114:10184 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][4 pkts/368 bytes <-> 4 pkts/400 bytes][Host: g2df33d01-lp1.p.srv.nintendo.net] - 9 UDP 192.168.12.114:18874 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][1 pkts/110 bytes <-> 1 pkts/281 bytes][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com] - 10 UDP 192.168.12.114:55915 <-> 93.237.131.235:56066 [proto: 173/Nintendo][122 pkts/48332 bytes <-> 35 pkts/5026 bytes] - 11 UDP 192.168.12.114:55915 -> 35.158.74.61:33334 [proto: 178/Amazon][5 pkts/290 bytes -> 0 pkts/0 bytes] - 12 ICMP 151.6.184.100:0 -> 192.168.12.114:0 [proto: 81/ICMP][21 pkts/1470 bytes -> 0 pkts/0 bytes] + 1 UDP 192.168.12.114:55915 <-> 185.118.169.65:27520 [proto: 173/Nintendo][169 pkts/61414 bytes <-> 278 pkts/126260 bytes] + 2 UDP 192.168.12.114:55915 <-> 93.237.131.235:56066 [proto: 173/Nintendo][122 pkts/48332 bytes <-> 35 pkts/5026 bytes] + 3 UDP 192.168.12.114:55915 <-> 81.61.158.138:51769 [proto: 173/Nintendo][122 pkts/46476 bytes <-> 38 pkts/5268 bytes] + 4 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 91.178/SSL.Amazon][34 pkts/4466 bytes <-> 20 pkts/4021 bytes] + 5 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/SSL.Nintendo][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][client: 5][server: *.baas.nintendo.com] + 6 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/SSL.Nintendo][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][client: 5][server: *.baas.nintendo.com] + 7 UDP 192.168.12.114:52119 <-> 91.8.243.35:49432 [proto: 173/Nintendo][23 pkts/2682 bytes <-> 16 pkts/3408 bytes] + 8 UDP 192.168.12.114:52119 <-> 109.21.255.11:50251 [proto: 173/Nintendo][8 pkts/1024 bytes <-> 8 pkts/1024 bytes] + 9 UDP 192.168.12.114:52119 <-> 134.3.248.25:56955 [proto: 173/Nintendo][8 pkts/1040 bytes <-> 7 pkts/922 bytes] + 10 ICMP 151.6.184.100:0 -> 192.168.12.114:0 [proto: 81/ICMP][21 pkts/1470 bytes -> 0 pkts/0 bytes] + 11 UDP 192.168.12.114:10184 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][4 pkts/368 bytes <-> 4 pkts/400 bytes][Host: g2df33d01-lp1.p.srv.nintendo.net] + 12 UDP 192.168.12.114:52119 -> 52.10.205.177:34343 [proto: 178/Amazon][1 pkts/730 bytes -> 0 pkts/0 bytes] 13 ICMP 151.6.184.98:0 -> 192.168.12.114:0 [proto: 81/ICMP][9 pkts/630 bytes -> 0 pkts/0 bytes] - 14 TCP 192.168.12.114:31329 <-> 54.192.27.8:443 [proto: 91.173/SSL.Nintendo][10 pkts/2833 bytes <-> 10 pkts/4866 bytes][client: 5][server: *.baas.nintendo.com] - 15 TCP 192.168.12.114:41517 <-> 54.192.27.217:443 [proto: 91.173/SSL.Nintendo][11 pkts/2898 bytes <-> 10 pkts/4865 bytes][client: 5][server: *.baas.nintendo.com] - 16 UDP 192.168.12.114:52119 <-> 91.8.243.35:49432 [proto: 173/Nintendo][23 pkts/2682 bytes <-> 16 pkts/3408 bytes] - 17 TCP 54.187.10.185:443 <-> 192.168.12.114:48328 [proto: 91.178/SSL.Amazon][34 pkts/4466 bytes <-> 20 pkts/4021 bytes] - 18 UDP 192.168.12.114:55915 <-> 81.61.158.138:51769 [proto: 173/Nintendo][122 pkts/46476 bytes <-> 38 pkts/5268 bytes] - 19 UDP 192.168.12.114:52119 <-> 109.21.255.11:50251 [proto: 173/Nintendo][8 pkts/1024 bytes <-> 8 pkts/1024 bytes] - 20 UDP 192.168.12.114:55915 <-> 185.118.169.65:27520 [proto: 173/Nintendo][169 pkts/61414 bytes <-> 278 pkts/126260 bytes] - 21 UDP 192.168.12.114:55915 <-> 35.158.74.61:10025 [proto: 178/Amazon][5 pkts/290 bytes <-> 5 pkts/290 bytes] \ No newline at end of file + 14 UDP 192.168.12.114:55915 <-> 35.158.74.61:10025 [proto: 178/Amazon][5 pkts/290 bytes <-> 5 pkts/290 bytes] + 15 UDP 192.168.12.114:18874 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][1 pkts/110 bytes <-> 1 pkts/281 bytes][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com] + 16 UDP 192.168.12.114:51035 <-> 192.168.12.1:53 [proto: 5.173/DNS.Nintendo][1 pkts/110 bytes <-> 1 pkts/281 bytes][Host: e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com] + 17 UDP 192.168.12.114:52119 -> 35.158.74.61:33335 [proto: 173/Nintendo][3 pkts/354 bytes -> 0 pkts/0 bytes] + 18 UDP 192.168.12.114:55915 -> 35.158.74.61:33335 [proto: 178/Amazon][3 pkts/318 bytes -> 0 pkts/0 bytes] + 19 UDP 192.168.12.114:55915 -> 52.10.205.177:34343 [proto: 178/Amazon][1 pkts/298 bytes -> 0 pkts/0 bytes] + 20 UDP 192.168.12.114:55915 -> 35.158.74.61:33334 [proto: 178/Amazon][5 pkts/290 bytes -> 0 pkts/0 bytes] + 21 TCP 192.168.12.114:11534 <-> 54.146.242.74:443 [proto: 91.178/SSL.Amazon][1 pkts/54 bytes <-> 1 pkts/54 bytes] diff --git a/tests/result/ocs.pcap.out b/tests/result/ocs.pcap.out index d16dc31de..628f51607 100644 --- a/tests/result/ocs.pcap.out +++ b/tests/result/ocs.pcap.out @@ -6,25 +6,25 @@ Google 40 5453 5 OCS 863 57552 7 PlayStore 1 72 1 - 1 TCP 192.168.180.2:42590 -> 178.248.208.210:80 [proto: 7.218/HTTP.OCS][83 pkts/5408 bytes -> 0 pkts/0 bytes][Host: www.ocs.fr] - 2 TCP 192.168.180.2:48250 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][6 pkts/1092 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] - 3 TCP 192.168.180.2:41223 -> 216.58.208.46:443 [proto: 91.126/SSL.Google][13 pkts/1448 bytes -> 0 pkts/0 bytes] - 4 UDP 192.168.180.2:38472 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/63 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] - 5 TCP 192.168.180.2:39263 -> 23.21.230.199:443 [proto: 91/SSL][20 pkts/2715 bytes -> 0 pkts/0 bytes][client: settings.crashlytics.com] - 6 UDP 192.168.180.2:48770 -> 8.8.8.8:53 [proto: 5.228/DNS.PlayStore][1 pkts/72 bytes -> 0 pkts/0 bytes][Host: android.clients.google.com] - 7 TCP 192.168.180.2:47803 -> 64.233.166.95:443 [proto: 91.126/SSL.Google][12 pkts/1608 bytes -> 0 pkts/0 bytes] - 8 UDP 192.168.180.2:1291 -> 8.8.8.8:53 [proto: 5/DNS][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] - 9 UDP 192.168.180.2:2589 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/61 bytes -> 0 pkts/0 bytes][Host: ocs.labgency.ws] - 10 UDP 192.168.180.2:3621 -> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes -> 0 pkts/0 bytes][Host: xmpp.device06.eu01.capptain.com] - 11 UDP 192.168.180.2:11793 -> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/65 bytes -> 0 pkts/0 bytes][Host: play.googleapis.com] - 12 TCP 192.168.180.2:36680 -> 178.248.208.54:443 [proto: 91.218/SSL.OCS][20 pkts/6089 bytes -> 0 pkts/0 bytes][client: ocs.labgency.ws] - 13 TCP 192.168.180.2:53356 -> 137.135.129.206:80 [proto: 7/HTTP][6 pkts/479 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] - 14 UDP 192.168.180.2:24245 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/56 bytes -> 0 pkts/0 bytes][Host: www.ocs.fr] - 15 TCP 192.168.180.2:49881 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][751 pkts/44783 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] - 16 UDP 192.168.180.2:40097 -> 8.8.8.8:53 [proto: 5/DNS][1 pkts/70 bytes -> 0 pkts/0 bytes][Host: settings.crashlytics.com] - 17 TCP 192.168.180.2:32946 -> 64.233.184.188:443 [proto: 91.126/SSL.Google][12 pkts/2212 bytes -> 0 pkts/0 bytes][client: mtalk.google.com] - 18 TCP 192.168.180.2:47699 -> 64.233.184.188:5228 [proto: 126/Google][2 pkts/120 bytes -> 0 pkts/0 bytes] - 19 TCP 192.168.180.2:44959 -> 137.135.129.206:80 [proto: 7/HTTP][7 pkts/540 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] + 1 TCP 192.168.180.2:49881 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][751 pkts/44783 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] + 2 TCP 192.168.180.2:36680 -> 178.248.208.54:443 [proto: 91.218/SSL.OCS][20 pkts/6089 bytes -> 0 pkts/0 bytes][client: ocs.labgency.ws] + 3 TCP 192.168.180.2:42590 -> 178.248.208.210:80 [proto: 7.218/HTTP.OCS][83 pkts/5408 bytes -> 0 pkts/0 bytes][Host: www.ocs.fr] + 4 TCP 192.168.180.2:39263 -> 23.21.230.199:443 [proto: 91/SSL][20 pkts/2715 bytes -> 0 pkts/0 bytes][client: settings.crashlytics.com] + 5 TCP 192.168.180.2:32946 -> 64.233.184.188:443 [proto: 91.126/SSL.Google][12 pkts/2212 bytes -> 0 pkts/0 bytes][client: mtalk.google.com] + 6 TCP 192.168.180.2:47803 -> 64.233.166.95:443 [proto: 91.126/SSL.Google][12 pkts/1608 bytes -> 0 pkts/0 bytes] + 7 TCP 192.168.180.2:41223 -> 216.58.208.46:443 [proto: 91.126/SSL.Google][13 pkts/1448 bytes -> 0 pkts/0 bytes] + 8 TCP 192.168.180.2:48250 -> 178.248.208.54:80 [proto: 7.218/HTTP.OCS][6 pkts/1092 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] + 9 TCP 192.168.180.2:44959 -> 137.135.129.206:80 [proto: 7/HTTP][7 pkts/540 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] + 10 TCP 192.168.180.2:53356 -> 137.135.129.206:80 [proto: 7/HTTP][6 pkts/479 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] + 11 TCP 192.168.180.2:47699 -> 64.233.184.188:5228 [proto: 126/Google][2 pkts/120 bytes -> 0 pkts/0 bytes] + 12 UDP 192.168.180.2:3621 -> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes -> 0 pkts/0 bytes][Host: xmpp.device06.eu01.capptain.com] + 13 UDP 192.168.180.2:48770 -> 8.8.8.8:53 [proto: 5.228/DNS.PlayStore][1 pkts/72 bytes -> 0 pkts/0 bytes][Host: android.clients.google.com] + 14 UDP 192.168.180.2:40097 -> 8.8.8.8:53 [proto: 5/DNS][1 pkts/70 bytes -> 0 pkts/0 bytes][Host: settings.crashlytics.com] + 15 UDP 192.168.180.2:1291 -> 8.8.8.8:53 [proto: 5/DNS][1 pkts/67 bytes -> 0 pkts/0 bytes][Host: api.eu01.capptain.com] + 16 UDP 192.168.180.2:11793 -> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/65 bytes -> 0 pkts/0 bytes][Host: play.googleapis.com] + 17 UDP 192.168.180.2:38472 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/63 bytes -> 0 pkts/0 bytes][Host: ocu03.labgency.ws] + 18 UDP 192.168.180.2:2589 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/61 bytes -> 0 pkts/0 bytes][Host: ocs.labgency.ws] + 19 UDP 192.168.180.2:24245 -> 8.8.8.8:53 [proto: 5.218/DNS.OCS][1 pkts/56 bytes -> 0 pkts/0 bytes][Host: www.ocs.fr] Undetected flows: diff --git a/tests/result/ookla.pcap.out b/tests/result/ookla.pcap.out index 2d7c07ea9..4a3dd3c5a 100644 --- a/tests/result/ookla.pcap.out +++ b/tests/result/ookla.pcap.out @@ -1,4 +1,4 @@ Ookla 5086 4689745 2 - 1 TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 7.191/HTTP.Ookla][12 pkts/2238 bytes <-> 8 pkts/2082 bytes] - 2 TCP 192.168.1.7:51215 <-> 46.44.253.187:8080 [proto: 191/Ookla][2202 pkts/1032520 bytes <-> 2864 pkts/3652905 bytes] + 1 TCP 192.168.1.7:51215 <-> 46.44.253.187:8080 [proto: 191/Ookla][2202 pkts/1032520 bytes <-> 2864 pkts/3652905 bytes] + 2 TCP 192.168.1.7:51207 <-> 46.44.253.187:80 [proto: 7.191/HTTP.Ookla][12 pkts/2238 bytes <-> 8 pkts/2082 bytes] diff --git a/tests/result/openvpn.pcap.out b/tests/result/openvpn.pcap.out index 9234d3845..a84b6379a 100644 --- a/tests/result/openvpn.pcap.out +++ b/tests/result/openvpn.pcap.out @@ -1,5 +1,5 @@ OpenVPN 298 57111 3 - 1 UDP 192.168.43.12:41507 <-> 139.59.151.137:13680 [proto: 159/OpenVPN][49 pkts/7860 bytes <-> 34 pkts/5699 bytes] - 2 UDP 192.168.43.18:13680 <-> 139.59.151.137:13680 [proto: 159/OpenVPN][62 pkts/11508 bytes <-> 58 pkts/16664 bytes] - 3 TCP 192.168.1.77:60140 <-> 46.101.231.218:443 [proto: 159/OpenVPN][44 pkts/7514 bytes <-> 51 pkts/7866 bytes] + 1 UDP 192.168.43.18:13680 <-> 139.59.151.137:13680 [proto: 159/OpenVPN][62 pkts/11508 bytes <-> 58 pkts/16664 bytes] + 2 TCP 192.168.1.77:60140 <-> 46.101.231.218:443 [proto: 159/OpenVPN][44 pkts/7514 bytes <-> 51 pkts/7866 bytes] + 3 UDP 192.168.43.12:41507 <-> 139.59.151.137:13680 [proto: 159/OpenVPN][49 pkts/7860 bytes <-> 34 pkts/5699 bytes] diff --git a/tests/result/pps.pcap.out b/tests/result/pps.pcap.out index 9be4adae9..776e2a5c6 100644 --- a/tests/result/pps.pcap.out +++ b/tests/result/pps.pcap.out @@ -5,113 +5,113 @@ Google 2 1093 1 UPnP 1 130 1 iQIYI 1499 1849369 60 - 1 TCP 117.79.81.135:80 -> 192.168.115.8:50443 [proto: 7.206/HTTP.iQIYI][1 pkts/347 bytes -> 0 pkts/0 bytes] - 2 TCP 192.168.115.8:50490 <-> 119.188.13.188:80 [proto: 7.206/HTTP.iQIYI][1 pkts/357 bytes <-> 1 pkts/479 bytes][Host: pdata.video.qiyi.com] - 3 TCP 192.168.115.8:50497 <-> 123.125.112.49:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1004 bytes <-> 2 pkts/301 bytes][Host: click.hm.baidu.com] - 4 TCP 192.168.115.8:50775 <-> 123.125.111.70:80 [proto: 7.206/HTTP.iQIYI][1 pkts/399 bytes <-> 1 pkts/275 bytes][Host: nl.rcd.iqiyi.com] - 5 TCP 192.168.5.15:65125 -> 68.233.253.133:80 [proto: 7/HTTP][1 pkts/66 bytes -> 0 pkts/0 bytes] - 6 TCP 192.168.5.15:65127 <-> 68.233.253.133:80 [proto: 7.206/HTTP.iQIYI][1 pkts/323 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] - 7 TCP 192.168.115.8:50462 -> 202.108.14.236:80 [proto: 7/HTTP][2 pkts/108 bytes -> 0 pkts/0 bytes] - 8 TCP 192.168.115.8:50474 <-> 202.108.14.221:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1100 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] - 9 TCP 192.168.115.8:50484 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/622 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 10 TCP 202.108.14.219:80 -> 192.168.115.8:50506 [proto: 7.206/HTTP.iQIYI][1 pkts/199 bytes -> 0 pkts/0 bytes] - 11 TCP 192.168.115.8:50470 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/424 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] - 12 TCP 192.168.115.8:50502 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/947 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 13 TCP 192.168.115.8:50504 -> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/946 bytes -> 0 pkts/0 bytes][Host: msg.71.am] - 14 TCP 192.168.115.8:50466 <-> 203.66.182.24:80 [proto: 7.126/HTTP.Google][1 pkts/280 bytes <-> 1 pkts/813 bytes][Host: clients1.google.com] - 15 TCP 192.168.115.8:50774 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/587 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 16 UDP 192.168.5.63:39383 -> 239.255.255.250:1900 [proto: 153/UPnP][1 pkts/130 bytes -> 0 pkts/0 bytes] - 17 TCP 192.168.115.8:50488 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/311 bytes <-> 2 pkts/2035 bytes][Host: meta.video.qiyi.com] - 18 TCP 192.168.115.8:50508 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][1 pkts/198 bytes <-> 1 pkts/420 bytes][Host: static.qiyi.com] - 19 TCP 192.168.115.8:50494 <-> 223.26.106.66:80 [proto: 7.206/HTTP.iQIYI][2 pkts/887 bytes <-> 1 pkts/443 bytes][Host: 223.26.106.66] - 20 TCP 192.168.115.8:50766 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/198 bytes <-> 1 pkts/493 bytes][Host: static.qiyi.com] - 21 TCP 192.168.115.8:50768 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][1 pkts/198 bytes <-> 1 pkts/526 bytes][Host: static.qiyi.com] - 22 TCP 192.168.115.8:50778 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/303 bytes <-> 528 pkts/692658 bytes][Host: preimage1.qiyipic.com] - 23 TCP 192.168.115.8:50780 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/303 bytes <-> 541 pkts/710082 bytes][Host: preimage1.qiyipic.com] - 24 UDP 192.168.115.1:50945 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1539 bytes -> 0 pkts/0 bytes] - 25 UDP 192.168.5.50:52529 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1074 bytes -> 0 pkts/0 bytes] - 26 TCP 192.168.115.8:50500 <-> 23.41.133.163:80 [proto: 7.206/HTTP.iQIYI][1 pkts/289 bytes <-> 1 pkts/839 bytes][Host: s1.symcb.com] - 27 UDP 192.168.5.38:58897 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1575 bytes -> 0 pkts/0 bytes] - 28 TCP 192.168.115.8:50765 <-> 36.110.220.15:80 [proto: 7.206/HTTP.iQIYI][1 pkts/264 bytes <-> 1 pkts/199 bytes][Host: msg.video.qiyi.com] - 29 UDP 192.168.5.28:60023 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1050 bytes -> 0 pkts/0 bytes] - 30 UDP 192.168.5.38:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][18 pkts/9327 bytes -> 0 pkts/0 bytes] - 31 TCP 192.168.115.8:50476 <-> 101.227.32.39:80 [proto: 7.206/HTTP.iQIYI][1 pkts/656 bytes <-> 4 pkts/3897 bytes][Host: cache.video.iqiyi.com] - 32 TCP 192.168.115.8:50496 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1555 bytes <-> 1 pkts/306 bytes][Host: api.cupid.iqiyi.com] - 33 TCP 192.168.115.8:50509 <-> 106.38.219.107:80 [proto: 7.206/HTTP.iQIYI][1 pkts/163 bytes <-> 2 pkts/557 bytes][Host: iplocation.geo.qiyi.com] - 34 TCP 192.168.115.8:50499 <-> 111.206.22.76:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1097 bytes <-> 1 pkts/199 bytes][Host: msg.iqiyi.com] - 35 TCP 192.168.115.8:50777 <-> 111.206.22.77:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1186 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] - 36 TCP 192.168.115.8:50779 <-> 111.206.22.77:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1438 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] - 37 TCP 192.168.115.8:50489 <-> 119.188.13.188:80 [proto: 7.206/HTTP.iQIYI][1 pkts/253 bytes <-> 1 pkts/430 bytes][Host: pdata.video.qiyi.com] - 38 TCP 192.168.115.8:50464 <-> 123.125.112.49:80 [proto: 7.206/HTTP.iQIYI][1 pkts/707 bytes <-> 1 pkts/744 bytes][Host: click.hm.baidu.com] - 39 TCP 192.168.115.8:50772 <-> 123.125.111.70:80 [proto: 7.206/HTTP.iQIYI][1 pkts/399 bytes <-> 1 pkts/275 bytes][Host: nl.rcd.iqiyi.com] - 40 TCP 192.168.5.15:65128 <-> 68.233.253.133:80 [proto: 7.206/HTTP.iQIYI][1 pkts/331 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] - 41 TCP 192.168.115.8:50482 <-> 140.205.243.64:80 [proto: 7.206/HTTP.iQIYI][1 pkts/444 bytes <-> 1 pkts/283 bytes][Host: cmc.tanx.com] - 42 TCP 202.108.14.219:80 -> 192.168.115.8:50295 [proto: 7.206/HTTP.iQIYI][2 pkts/398 bytes -> 0 pkts/0 bytes] - 43 TCP 192.168.115.8:50467 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/629 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 44 TCP 192.168.115.8:50469 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/573 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 45 TCP 192.168.115.8:50471 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1898 bytes <-> 2 pkts/398 bytes][Host: msg.71.am] - 46 TCP 192.168.115.8:50473 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/944 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 1 TCP 192.168.115.8:50780 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/303 bytes <-> 541 pkts/710082 bytes][Host: preimage1.qiyipic.com] + 2 TCP 192.168.115.8:50778 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/303 bytes <-> 528 pkts/692658 bytes][Host: preimage1.qiyipic.com] + 3 TCP 192.168.115.8:50505 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][2 pkts/400 bytes <-> 244 pkts/319633 bytes][Host: static.qiyi.com] + 4 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 7.206/HTTP.iQIYI][1 pkts/426 bytes <-> 26 pkts/33872 bytes][Host: 223.26.106.66] + 5 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7.206/HTTP.iQIYI][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Host: bcu.ff.avast.com] + 6 UDP 192.168.5.38:1900 -> 239.255.255.250:1900 [proto: 12/SSDP][18 pkts/9327 bytes -> 0 pkts/0 bytes] + 7 TCP 192.168.115.8:50476 <-> 101.227.32.39:80 [proto: 7.206/HTTP.iQIYI][1 pkts/656 bytes <-> 4 pkts/3897 bytes][Host: cache.video.iqiyi.com] + 8 TCP 192.168.115.8:50495 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][3 pkts/2844 bytes <-> 3 pkts/597 bytes][Host: msg.71.am] + 9 TCP 77.234.41.35:80 <-> 192.168.115.8:49174 [proto: 7.206/HTTP.iQIYI][4 pkts/2953 bytes <-> 1 pkts/356 bytes] + 10 TCP 192.168.115.8:50767 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][4 pkts/800 bytes <-> 4 pkts/2112 bytes][Host: static.qiyi.com] + 11 TCP 192.168.115.8:50488 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/311 bytes <-> 2 pkts/2035 bytes][Host: meta.video.qiyi.com] + 12 TCP 192.168.115.8:50471 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1898 bytes <-> 2 pkts/398 bytes][Host: msg.71.am] + 13 TCP 192.168.115.8:50501 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1893 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 14 TCP 192.168.115.8:50496 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1555 bytes <-> 1 pkts/306 bytes][Host: api.cupid.iqiyi.com] + 15 TCP 192.168.115.8:50463 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1555 bytes <-> 1 pkts/306 bytes][Host: api.cupid.iqiyi.com] + 16 TCP 192.168.115.8:50779 <-> 111.206.22.77:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1438 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] + 17 UDP 192.168.5.38:58897 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1575 bytes -> 0 pkts/0 bytes] + 18 UDP 192.168.115.1:50945 -> 239.255.255.250:1900 [proto: 12/SSDP][9 pkts/1539 bytes -> 0 pkts/0 bytes] + 19 TCP 192.168.115.8:50464 <-> 123.125.112.49:80 [proto: 7.206/HTTP.iQIYI][1 pkts/707 bytes <-> 1 pkts/744 bytes][Host: click.hm.baidu.com] + 20 TCP 192.168.115.8:50492 <-> 111.206.13.3:80 [proto: 7.206/HTTP.iQIYI][1 pkts/389 bytes <-> 2 pkts/1034 bytes][Host: pdata.video.qiyi.com] + 21 TCP 192.168.115.8:50777 <-> 111.206.22.77:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1186 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] + 22 TCP 192.168.115.8:50494 <-> 223.26.106.66:80 [proto: 7.206/HTTP.iQIYI][2 pkts/887 bytes <-> 1 pkts/443 bytes][Host: 223.26.106.66] + 23 TCP 192.168.115.8:50497 <-> 123.125.112.49:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1004 bytes <-> 2 pkts/301 bytes][Host: click.hm.baidu.com] + 24 TCP 192.168.115.8:50499 <-> 111.206.22.76:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1097 bytes <-> 1 pkts/199 bytes][Host: msg.iqiyi.com] + 25 TCP 192.168.115.8:50474 <-> 202.108.14.221:80 [proto: 7.206/HTTP.iQIYI][1 pkts/1100 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] + 26 TCP 192.168.115.8:50507 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][1 pkts/212 bytes <-> 1 pkts/1063 bytes][Host: static.qiyi.com] + 27 TCP 192.168.115.8:50485 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/947 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 28 TCP 192.168.115.8:50502 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/947 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 29 TCP 192.168.115.8:50493 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/946 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 30 TCP 192.168.115.8:50771 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/946 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 31 TCP 192.168.115.8:50473 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/944 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 32 TCP 192.168.115.8:50475 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/941 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 33 TCP 192.168.115.8:50500 <-> 23.41.133.163:80 [proto: 7.206/HTTP.iQIYI][1 pkts/289 bytes <-> 1 pkts/839 bytes][Host: s1.symcb.com] + 34 TCP 192.168.115.8:50773 <-> 202.108.14.221:80 [proto: 7.206/HTTP.iQIYI][1 pkts/919 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 35 TCP 192.168.115.8:50466 <-> 203.66.182.24:80 [proto: 7.126/HTTP.Google][1 pkts/280 bytes <-> 1 pkts/813 bytes][Host: clients1.google.com] + 36 UDP 192.168.5.50:52529 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1074 bytes -> 0 pkts/0 bytes] + 37 UDP 192.168.5.57:59648 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1050 bytes -> 0 pkts/0 bytes] + 38 UDP 192.168.5.28:60023 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1050 bytes -> 0 pkts/0 bytes] + 39 TCP 192.168.115.8:50504 -> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/946 bytes -> 0 pkts/0 bytes][Host: msg.71.am] + 40 TCP 192.168.115.8:50769 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][1 pkts/604 bytes <-> 1 pkts/291 bytes][Host: api.cupid.iqiyi.com] + 41 TCP 192.168.115.8:50498 <-> 36.110.220.15:80 [proto: 7.206/HTTP.iQIYI][1 pkts/694 bytes <-> 1 pkts/199 bytes][Host: msg.video.qiyi.com] + 42 TCP 192.168.115.8:50503 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/683 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 43 UDP 192.168.5.41:50374 -> 239.255.255.250:1900 [proto: 12/SSDP][5 pkts/875 bytes -> 0 pkts/0 bytes] + 44 TCP 192.168.115.8:50490 <-> 119.188.13.188:80 [proto: 7.206/HTTP.iQIYI][1 pkts/357 bytes <-> 1 pkts/479 bytes][Host: pdata.video.qiyi.com] + 45 TCP 192.168.115.8:50467 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/629 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 46 TCP 192.168.115.8:50484 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/622 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] 47 TCP 192.168.115.8:50477 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/614 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 48 TCP 192.168.115.8:50483 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/417 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 49 TCP 192.168.115.8:50487 -> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/683 bytes -> 0 pkts/0 bytes][Host: msg.71.am] - 50 TCP 192.168.115.8:50503 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/683 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 51 TCP 192.168.115.8:50475 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/941 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 52 TCP 192.168.115.8:50485 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/947 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 53 TCP 192.168.115.8:50493 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/946 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 54 TCP 192.168.115.8:50495 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][3 pkts/2844 bytes <-> 3 pkts/597 bytes][Host: msg.71.am] - 55 TCP 192.168.115.8:50501 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1893 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 56 TCP 192.168.115.8:50771 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/946 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 57 TCP 192.168.115.8:50773 <-> 202.108.14.221:80 [proto: 7.206/HTTP.iQIYI][1 pkts/919 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] - 58 TCP 192.168.115.8:50491 <-> 223.26.106.66:80 [proto: 7.206/HTTP.iQIYI][1 pkts/426 bytes <-> 26 pkts/33872 bytes][Host: 223.26.106.66] - 59 TCP 192.168.115.8:50505 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][2 pkts/400 bytes <-> 244 pkts/319633 bytes][Host: static.qiyi.com] - 60 TCP 192.168.115.8:50507 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][1 pkts/212 bytes <-> 1 pkts/1063 bytes][Host: static.qiyi.com] - 61 TCP 192.168.115.8:50767 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][4 pkts/800 bytes <-> 4 pkts/2112 bytes][Host: static.qiyi.com] - 62 TCP 192.168.115.8:50781 -> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/303 bytes -> 0 pkts/0 bytes][Host: preimage1.qiyipic.com] - 63 UDP 192.168.5.41:50374 -> 239.255.255.250:1900 [proto: 12/SSDP][5 pkts/875 bytes -> 0 pkts/0 bytes] - 64 TCP 192.168.115.8:50498 <-> 36.110.220.15:80 [proto: 7.206/HTTP.iQIYI][1 pkts/694 bytes <-> 1 pkts/199 bytes][Host: msg.video.qiyi.com] - 65 UDP 192.168.5.57:59648 -> 239.255.255.250:1900 [proto: 12/SSDP][6 pkts/1050 bytes -> 0 pkts/0 bytes] - 66 UDP 192.168.5.63:60976 -> 239.255.255.250:1900 [proto: 12/SSDP][1 pkts/165 bytes -> 0 pkts/0 bytes] - 67 UDP 192.168.5.48:63930 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/358 bytes -> 0 pkts/0 bytes] - 68 TCP 77.234.41.35:80 <-> 192.168.115.8:49174 [proto: 7.206/HTTP.iQIYI][4 pkts/2953 bytes <-> 1 pkts/356 bytes] - 69 TCP 192.168.115.8:50486 <-> 77.234.40.96:80 [proto: 7.206/HTTP.iQIYI][11 pkts/11023 bytes <-> 12 pkts/14869 bytes][Host: bcu.ff.avast.com] - 70 TCP 192.168.115.8:50463 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][2 pkts/1555 bytes <-> 1 pkts/306 bytes][Host: api.cupid.iqiyi.com] - 71 TCP 192.168.115.8:50769 <-> 101.227.200.11:80 [proto: 7.206/HTTP.iQIYI][1 pkts/604 bytes <-> 1 pkts/291 bytes][Host: api.cupid.iqiyi.com] - 72 TCP 192.168.115.8:50492 <-> 111.206.13.3:80 [proto: 7.206/HTTP.iQIYI][1 pkts/389 bytes <-> 2 pkts/1034 bytes][Host: pdata.video.qiyi.com] - 73 TCP 192.168.115.8:50776 <-> 111.206.22.77:80 [proto: 7.206/HTTP.iQIYI][1 pkts/394 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] + 48 TCP 192.168.115.8:50774 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/587 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 49 TCP 192.168.115.8:50469 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/573 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 50 TCP 192.168.115.8:50482 <-> 140.205.243.64:80 [proto: 7.206/HTTP.iQIYI][1 pkts/444 bytes <-> 1 pkts/283 bytes][Host: cmc.tanx.com] + 51 TCP 192.168.115.8:50768 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][1 pkts/198 bytes <-> 1 pkts/526 bytes][Host: static.qiyi.com] + 52 TCP 192.168.5.15:65128 <-> 68.233.253.133:80 [proto: 7.206/HTTP.iQIYI][1 pkts/331 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] + 53 TCP 192.168.115.8:50509 <-> 106.38.219.107:80 [proto: 7.206/HTTP.iQIYI][1 pkts/163 bytes <-> 2 pkts/557 bytes][Host: iplocation.geo.qiyi.com] + 54 TCP 192.168.5.15:65127 <-> 68.233.253.133:80 [proto: 7.206/HTTP.iQIYI][1 pkts/323 bytes <-> 1 pkts/390 bytes][Host: api.magicansoft.com] + 55 TCP 192.168.115.8:50766 <-> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/198 bytes <-> 1 pkts/493 bytes][Host: static.qiyi.com] + 56 TCP 192.168.115.8:50487 -> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/683 bytes -> 0 pkts/0 bytes][Host: msg.71.am] + 57 TCP 192.168.115.8:50489 <-> 119.188.13.188:80 [proto: 7.206/HTTP.iQIYI][1 pkts/253 bytes <-> 1 pkts/430 bytes][Host: pdata.video.qiyi.com] + 58 TCP 192.168.115.8:50772 <-> 123.125.111.70:80 [proto: 7.206/HTTP.iQIYI][1 pkts/399 bytes <-> 1 pkts/275 bytes][Host: nl.rcd.iqiyi.com] + 59 TCP 192.168.115.8:50775 <-> 123.125.111.70:80 [proto: 7.206/HTTP.iQIYI][1 pkts/399 bytes <-> 1 pkts/275 bytes][Host: nl.rcd.iqiyi.com] + 60 TCP 192.168.115.8:50508 <-> 223.26.106.19:80 [proto: 7.206/HTTP.iQIYI][1 pkts/198 bytes <-> 1 pkts/420 bytes][Host: static.qiyi.com] + 61 TCP 192.168.115.8:50470 <-> 202.108.14.236:80 [proto: 7.206/HTTP.iQIYI][1 pkts/424 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] + 62 TCP 192.168.115.8:50483 <-> 202.108.14.219:80 [proto: 7.206/HTTP.iQIYI][1 pkts/417 bytes <-> 1 pkts/199 bytes][Host: msg.71.am] + 63 TCP 192.168.115.8:50776 <-> 111.206.22.77:80 [proto: 7.206/HTTP.iQIYI][1 pkts/394 bytes <-> 1 pkts/194 bytes][Host: msg.iqiyi.com] + 64 TCP 192.168.115.8:50765 <-> 36.110.220.15:80 [proto: 7.206/HTTP.iQIYI][1 pkts/264 bytes <-> 1 pkts/199 bytes][Host: msg.video.qiyi.com] + 65 TCP 202.108.14.219:80 -> 192.168.115.8:50295 [proto: 7.206/HTTP.iQIYI][2 pkts/398 bytes -> 0 pkts/0 bytes] + 66 UDP 192.168.5.48:63930 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/358 bytes -> 0 pkts/0 bytes] + 67 TCP 117.79.81.135:80 -> 192.168.115.8:50443 [proto: 7.206/HTTP.iQIYI][1 pkts/347 bytes -> 0 pkts/0 bytes] + 68 TCP 192.168.115.8:50781 -> 223.26.106.20:80 [proto: 7.206/HTTP.iQIYI][1 pkts/303 bytes -> 0 pkts/0 bytes][Host: preimage1.qiyipic.com] + 69 TCP 202.108.14.219:80 -> 192.168.115.8:50506 [proto: 7.206/HTTP.iQIYI][1 pkts/199 bytes -> 0 pkts/0 bytes] + 70 UDP 192.168.5.63:60976 -> 239.255.255.250:1900 [proto: 12/SSDP][1 pkts/165 bytes -> 0 pkts/0 bytes] + 71 UDP 192.168.5.63:39383 -> 239.255.255.250:1900 [proto: 153/UPnP][1 pkts/130 bytes -> 0 pkts/0 bytes] + 72 TCP 192.168.115.8:50462 -> 202.108.14.236:80 [proto: 7/HTTP][2 pkts/108 bytes -> 0 pkts/0 bytes] + 73 TCP 192.168.5.15:65125 -> 68.233.253.133:80 [proto: 7/HTTP][1 pkts/66 bytes -> 0 pkts/0 bytes] Undetected flows: - 1 UDP 192.168.115.8:22793 -> 222.26.74.190:1037 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 2 UDP 192.168.115.8:22793 -> 115.157.62.243:29006 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 3 UDP 183.228.182.44:13913 <-> 192.168.115.8:22793 [proto: 0/Unknown][1 pkts/87 bytes <-> 2 pkts/170 bytes] - 4 UDP 192.168.115.8:22793 <-> 222.197.138.12:6956 [proto: 0/Unknown][30 pkts/2370 bytes <-> 10 pkts/10042 bytes] - 5 UDP 192.168.115.8:22793 -> 222.26.193.119:7133 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 6 UDP 192.168.115.8:22793 -> 183.61.167.82:17788 [proto: 0/Unknown][2 pkts/188 bytes -> 0 pkts/0 bytes] - 7 UDP 192.168.115.8:22793 -> 183.61.167.104:17788 [proto: 0/Unknown][2 pkts/260 bytes -> 0 pkts/0 bytes] - 8 UDP 192.168.115.8:22793 <-> 202.198.7.89:16039 [proto: 0/Unknown][2 pkts/158 bytes <-> 3 pkts/3323 bytes] - 9 UDP 192.168.115.8:22793 -> 1.175.128.104:5185 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 10 UDP 192.168.115.8:22793 -> 218.61.39.103:17788 [proto: 0/Unknown][2 pkts/300 bytes -> 0 pkts/0 bytes] + 1 UDP 1.173.5.226:22636 <-> 192.168.115.8:22793 [proto: 0/Unknown][130 pkts/143912 bytes <-> 270 pkts/21334 bytes] + 2 UDP 192.168.115.8:22793 <-> 114.42.0.158:7716 [proto: 0/Unknown][229 pkts/18091 bytes <-> 109 pkts/120663 bytes] + 3 UDP 118.171.15.56:5544 <-> 192.168.115.8:22793 [proto: 0/Unknown][30 pkts/33210 bytes <-> 71 pkts/5609 bytes] + 4 UDP 192.168.115.8:22793 <-> 219.228.107.156:1250 [proto: 0/Unknown][34 pkts/2686 bytes <-> 11 pkts/12177 bytes] + 5 UDP 192.168.115.8:22793 <-> 222.197.138.12:6956 [proto: 0/Unknown][30 pkts/2370 bytes <-> 10 pkts/10042 bytes] + 6 UDP 192.168.115.8:22793 <-> 202.198.7.89:16039 [proto: 0/Unknown][2 pkts/158 bytes <-> 3 pkts/3323 bytes] + 7 UDP 192.168.115.8:22793 -> 1.169.136.116:17951 [proto: 0/Unknown][4 pkts/512 bytes -> 0 pkts/0 bytes] + 8 UDP 192.168.115.8:22793 -> 114.41.144.153:10492 [proto: 0/Unknown][4 pkts/512 bytes -> 0 pkts/0 bytes] + 9 UDP 192.168.115.8:22793 -> 218.61.39.103:17788 [proto: 0/Unknown][2 pkts/300 bytes -> 0 pkts/0 bytes] + 10 UDP 192.168.115.8:22793 -> 183.61.167.104:17788 [proto: 0/Unknown][2 pkts/260 bytes -> 0 pkts/0 bytes] 11 UDP 192.168.115.8:22793 -> 218.61.39.87:17788 [proto: 0/Unknown][2 pkts/260 bytes -> 0 pkts/0 bytes] - 12 UDP 192.168.115.8:22793 -> 1.169.136.116:17951 [proto: 0/Unknown][4 pkts/512 bytes -> 0 pkts/0 bytes] - 13 UDP 192.168.115.8:22793 -> 210.47.12.19:33738 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 14 UDP 192.168.115.8:22793 -> 210.47.12.20:33738 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 12 UDP 192.168.115.8:22793 -> 119.188.133.182:17788 [proto: 0/Unknown][2 pkts/260 bytes -> 0 pkts/0 bytes] + 13 UDP 183.228.182.44:13913 <-> 192.168.115.8:22793 [proto: 0/Unknown][1 pkts/87 bytes <-> 2 pkts/170 bytes] + 14 UDP 192.168.115.8:22793 -> 183.61.167.82:17788 [proto: 0/Unknown][2 pkts/188 bytes -> 0 pkts/0 bytes] 15 UDP 192.168.115.8:22793 -> 220.130.154.23:35941 [proto: 0/Unknown][2 pkts/174 bytes -> 0 pkts/0 bytes] - 16 UDP 192.168.115.8:22793 -> 61.227.170.88:20227 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 17 UDP 192.168.115.8:22793 <-> 114.42.0.158:7716 [proto: 0/Unknown][229 pkts/18091 bytes <-> 109 pkts/120663 bytes] - 18 UDP 192.168.115.8:22793 -> 119.188.133.182:17788 [proto: 0/Unknown][2 pkts/260 bytes -> 0 pkts/0 bytes] - 19 UDP 192.168.115.8:22793 <-> 219.228.107.156:1250 [proto: 0/Unknown][34 pkts/2686 bytes <-> 11 pkts/12177 bytes] - 20 UDP 192.168.115.8:22793 -> 111.249.53.196:32443 [proto: 0/Unknown][2 pkts/158 bytes -> 0 pkts/0 bytes] + 16 UDP 192.168.115.8:22793 -> 111.249.53.196:32443 [proto: 0/Unknown][2 pkts/158 bytes -> 0 pkts/0 bytes] + 17 UDP 192.168.115.8:22793 -> 111.117.101.81:10162 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 18 UDP 192.168.115.8:22793 -> 210.47.12.20:33738 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 19 UDP 192.168.115.8:22793 -> 114.47.91.129:22576 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 20 UDP 192.168.115.8:22793 -> 210.47.12.19:33738 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] 21 UDP 192.168.115.8:22793 -> 210.44.232.243:21044 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] 22 UDP 192.168.115.8:22793 -> 36.237.154.69:4316 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] 23 UDP 192.168.115.8:22793 -> 202.112.31.89:29072 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 24 UDP 192.168.115.8:22793 -> 210.44.171.1:29702 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 25 UDP 1.173.5.226:22636 <-> 192.168.115.8:22793 [proto: 0/Unknown][130 pkts/143912 bytes <-> 270 pkts/21334 bytes] + 24 UDP 192.168.115.8:22793 -> 61.227.170.88:20227 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 25 UDP 192.168.115.8:22793 -> 1.175.128.104:5185 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] 26 UDP 192.168.115.8:22793 -> 61.223.204.67:11102 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] 27 UDP 192.168.115.8:22793 -> 36.233.39.81:18590 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] 28 UDP 192.168.115.8:22793 -> 111.250.102.66:1107 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] 29 UDP 192.168.115.8:22793 -> 114.37.142.173:1074 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 30 UDP 118.171.15.56:5544 <-> 192.168.115.8:22793 [proto: 0/Unknown][30 pkts/33210 bytes <-> 71 pkts/5609 bytes] - 31 UDP 192.168.115.8:22793 -> 111.117.101.81:10162 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 32 UDP 192.168.115.8:22793 -> 114.41.144.153:10492 [proto: 0/Unknown][4 pkts/512 bytes -> 0 pkts/0 bytes] - 33 UDP 192.168.115.8:22793 -> 121.248.133.93:12757 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] - 34 UDP 192.168.115.8:22793 -> 114.47.91.129:22576 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 30 UDP 192.168.115.8:22793 -> 222.26.193.119:7133 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 31 UDP 192.168.115.8:22793 -> 210.44.171.1:29702 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 32 UDP 192.168.115.8:22793 -> 121.248.133.93:12757 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 33 UDP 192.168.115.8:22793 -> 115.157.62.243:29006 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] + 34 UDP 192.168.115.8:22793 -> 222.26.74.190:1037 [proto: 0/Unknown][2 pkts/132 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/quic.pcap.out b/tests/result/quic.pcap.out index 011be0b35..8e1404134 100644 --- a/tests/result/quic.pcap.out +++ b/tests/result/quic.pcap.out @@ -4,15 +4,15 @@ YouTube 85 76193 5 Google 11 10063 2 QUIC 3 364 1 - 1 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188.124/QUIC.YouTube][2 pkts/1471 bytes <-> 1 pkts/1392 bytes][Host: i.ytimg.com] - 2 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.124/QUIC.YouTube][1 pkts/1392 bytes <-> 1 pkts/1392 bytes][Host: yt3.ggpht.com] - 3 UDP 192.168.1.109:57833 <-> 216.58.212.101:443 [proto: 188.122/QUIC.GMail][161 pkts/23930 bytes <-> 252 pkts/230944 bytes][Host: mail.google.com] - 4 UDP 192.168.1.105:40461 <-> 172.217.16.3:443 [proto: 188/QUIC][2 pkts/241 bytes <-> 1 pkts/123 bytes] - 5 UDP 192.168.1.105:45669 <-> 172.217.16.4:443 [proto: 188.126/QUIC.Google][3 pkts/1550 bytes <-> 2 pkts/2784 bytes][Host: www.google.com] - 6 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188.124/QUIC.YouTube][4 pkts/3682 bytes <-> 3 pkts/2863 bytes][Host: www.youtube.com] - 7 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188.124/QUIC.YouTube][25 pkts/5276 bytes <-> 44 pkts/53157 bytes][Host: www.youtube.com] - 8 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188.126/QUIC.Google][3 pkts/2866 bytes <-> 3 pkts/2863 bytes][Host: fonts.gstatic.com] - 9 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188.124/QUIC.YouTube][2 pkts/2784 bytes <-> 2 pkts/2784 bytes][Host: s.ytimg.com] + 1 UDP 192.168.1.109:57833 <-> 216.58.212.101:443 [proto: 188.122/QUIC.GMail][161 pkts/23930 bytes <-> 252 pkts/230944 bytes][Host: mail.google.com] + 2 UDP 192.168.1.109:35236 <-> 216.58.210.206:443 [proto: 188.124/QUIC.YouTube][25 pkts/5276 bytes <-> 44 pkts/53157 bytes][Host: www.youtube.com] + 3 UDP 192.168.1.105:34438 <-> 216.58.210.238:443 [proto: 188.124/QUIC.YouTube][4 pkts/3682 bytes <-> 3 pkts/2863 bytes][Host: www.youtube.com] + 4 UDP 192.168.1.105:40030 <-> 216.58.201.227:443 [proto: 188.126/QUIC.Google][3 pkts/2866 bytes <-> 3 pkts/2863 bytes][Host: fonts.gstatic.com] + 5 UDP 192.168.1.105:55934 <-> 216.58.201.238:443 [proto: 188.124/QUIC.YouTube][2 pkts/2784 bytes <-> 2 pkts/2784 bytes][Host: s.ytimg.com] + 6 UDP 192.168.1.105:45669 <-> 172.217.16.4:443 [proto: 188.126/QUIC.Google][3 pkts/1550 bytes <-> 2 pkts/2784 bytes][Host: www.google.com] + 7 UDP 192.168.1.105:48445 <-> 216.58.214.110:443 [proto: 188.124/QUIC.YouTube][2 pkts/1471 bytes <-> 1 pkts/1392 bytes][Host: i.ytimg.com] + 8 UDP 192.168.1.105:53817 <-> 216.58.210.225:443 [proto: 188.124/QUIC.YouTube][1 pkts/1392 bytes <-> 1 pkts/1392 bytes][Host: yt3.ggpht.com] + 9 UDP 192.168.1.105:40461 <-> 172.217.16.3:443 [proto: 188/QUIC][2 pkts/241 bytes <-> 1 pkts/123 bytes] Undetected flows: diff --git a/tests/result/quickplay.pcap.out b/tests/result/quickplay.pcap.out index 87b488520..287047233 100644 --- a/tests/result/quickplay.pcap.out +++ b/tests/result/quickplay.pcap.out @@ -4,24 +4,24 @@ Google 2 378 1 Amazon 2 1469 1 QuickPlay 133 96179 11 - 1 TCP 10.54.169.250:33277 <-> 120.28.26.231:80 [proto: 7.126/HTTP.Google][1 pkts/241 bytes <-> 1 pkts/137 bytes][Host: clients3.google.com] - 2 TCP 10.54.169.250:50669 <-> 120.28.35.41:80 [proto: 7.196/HTTP.QuickPlay][2 pkts/844 bytes <-> 2 pkts/2836 bytes][Host: api-singtelhawk.quickplay.com] - 3 TCP 10.54.169.250:52007 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][3 pkts/1583 bytes <-> 1 pkts/1152 bytes][Host: vod-singtelhawk.quickplay.com] - 4 TCP 10.54.169.250:52009 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][35 pkts/17902 bytes <-> 30 pkts/28000 bytes][Host: vod-singtelhawk.quickplay.com] - 5 TCP 10.54.169.250:52017 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][5 pkts/2510 bytes <-> 3 pkts/3522 bytes][Host: vod-singtelhawk.quickplay.com] - 6 TCP 10.54.169.250:52019 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][14 pkts/7028 bytes <-> 11 pkts/12578 bytes][Host: vod-singtelhawk.quickplay.com] - 7 TCP 10.54.169.250:52021 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][3 pkts/1506 bytes <-> 1 pkts/1248 bytes][Host: vod-singtelhawk.quickplay.com] - 8 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][1 pkts/681 bytes <-> 1 pkts/262 bytes][Host: hkminorshort.weixin.qq.com] - 9 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 7.48/HTTP.QQ][1 pkts/616 bytes <-> 1 pkts/261 bytes][Host: hkextshort.weixin.qq.com] - 10 TCP 10.54.169.250:52285 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][1 pkts/243 bytes <-> 1 pkts/339 bytes][Host: www.facebook.com] - 11 TCP 10.54.169.250:44793 <-> 31.13.68.49:80 [proto: 7.119/HTTP.Facebook][1 pkts/237 bytes <-> 1 pkts/339 bytes][Host: www.facebook.com] - 12 TCP 10.54.169.250:33064 <-> 120.28.5.18:80 [proto: 7.196/HTTP.QuickPlay][1 pkts/358 bytes <-> 1 pkts/109 bytes][Host: api-singtelhawk.quickplay.com] - 13 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.178/HTTP.Amazon][1 pkts/638 bytes <-> 1 pkts/831 bytes][Host: api.account.xiaomi.com] - 14 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7.196/HTTP.QuickPlay][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Host: play-singtelhawk.quickplay.com] - 15 TCP 10.54.169.250:50668 <-> 120.28.35.41:80 [proto: 7.196/HTTP.QuickPlay][2 pkts/733 bytes <-> 2 pkts/2627 bytes][Host: api-singtelhawk.quickplay.com] - 16 TCP 10.54.169.250:52018 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/2008 bytes <-> 3 pkts/3040 bytes][Host: vod-singtelhawk.quickplay.com] - 17 TCP 10.54.169.250:52022 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/2008 bytes <-> 3 pkts/2276 bytes][Host: vod-singtelhawk.quickplay.com] - 18 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 7.48/HTTP.QQ][1 pkts/380 bytes <-> 1 pkts/261 bytes][Host: hkextshort.weixin.qq.com] - 19 TCP 10.54.169.250:52288 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][1 pkts/243 bytes <-> 1 pkts/339 bytes][Host: www.facebook.com] - 20 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Host: hkextshort.weixin.qq.com] - 21 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][1 pkts/461 bytes <-> 2 pkts/522 bytes][Host: hkextshort.weixin.qq.com] + 1 TCP 10.54.169.250:52009 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][35 pkts/17902 bytes <-> 30 pkts/28000 bytes][Host: vod-singtelhawk.quickplay.com] + 2 TCP 10.54.169.250:52019 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][14 pkts/7028 bytes <-> 11 pkts/12578 bytes][Host: vod-singtelhawk.quickplay.com] + 3 TCP 10.54.169.250:52017 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][5 pkts/2510 bytes <-> 3 pkts/3522 bytes][Host: vod-singtelhawk.quickplay.com] + 4 TCP 10.54.169.250:52018 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/2008 bytes <-> 3 pkts/3040 bytes][Host: vod-singtelhawk.quickplay.com] + 5 TCP 10.54.169.250:52022 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][4 pkts/2008 bytes <-> 3 pkts/2276 bytes][Host: vod-singtelhawk.quickplay.com] + 6 TCP 10.54.169.250:50669 <-> 120.28.35.41:80 [proto: 7.196/HTTP.QuickPlay][2 pkts/844 bytes <-> 2 pkts/2836 bytes][Host: api-singtelhawk.quickplay.com] + 7 TCP 10.54.169.250:50668 <-> 120.28.35.41:80 [proto: 7.196/HTTP.QuickPlay][2 pkts/733 bytes <-> 2 pkts/2627 bytes][Host: api-singtelhawk.quickplay.com] + 8 TCP 10.54.169.250:52021 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][3 pkts/1506 bytes <-> 1 pkts/1248 bytes][Host: vod-singtelhawk.quickplay.com] + 9 TCP 10.54.169.250:52007 <-> 120.28.35.40:80 [proto: 7.196/HTTP.QuickPlay][3 pkts/1583 bytes <-> 1 pkts/1152 bytes][Host: vod-singtelhawk.quickplay.com] + 10 TCP 10.54.169.250:44256 <-> 120.28.5.41:80 [proto: 7.196/HTTP.QuickPlay][2 pkts/1086 bytes <-> 1 pkts/1225 bytes][Host: play-singtelhawk.quickplay.com] + 11 TCP 10.54.169.250:56381 <-> 54.179.140.65:80 [proto: 7.178/HTTP.Amazon][1 pkts/638 bytes <-> 1 pkts/831 bytes][Host: api.account.xiaomi.com] + 12 TCP 10.54.169.250:54883 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][2 pkts/1192 bytes <-> 1 pkts/145 bytes][Host: hkextshort.weixin.qq.com] + 13 TCP 10.54.169.250:54885 <-> 203.205.151.160:80 [proto: 7.48/HTTP.QQ][1 pkts/461 bytes <-> 2 pkts/522 bytes][Host: hkextshort.weixin.qq.com] + 14 TCP 10.54.169.250:35670 <-> 203.205.147.215:80 [proto: 7.48/HTTP.QQ][1 pkts/681 bytes <-> 1 pkts/262 bytes][Host: hkminorshort.weixin.qq.com] + 15 TCP 10.54.169.250:42762 <-> 203.205.129.101:80 [proto: 7.48/HTTP.QQ][1 pkts/616 bytes <-> 1 pkts/261 bytes][Host: hkextshort.weixin.qq.com] + 16 TCP 10.54.169.250:42761 <-> 203.205.129.101:80 [proto: 7.48/HTTP.QQ][1 pkts/380 bytes <-> 1 pkts/261 bytes][Host: hkextshort.weixin.qq.com] + 17 TCP 10.54.169.250:52285 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][1 pkts/243 bytes <-> 1 pkts/339 bytes][Host: www.facebook.com] + 18 TCP 10.54.169.250:52288 <-> 173.252.74.22:80 [proto: 7.119/HTTP.Facebook][1 pkts/243 bytes <-> 1 pkts/339 bytes][Host: www.facebook.com] + 19 TCP 10.54.169.250:44793 <-> 31.13.68.49:80 [proto: 7.119/HTTP.Facebook][1 pkts/237 bytes <-> 1 pkts/339 bytes][Host: www.facebook.com] + 20 TCP 10.54.169.250:33064 <-> 120.28.5.18:80 [proto: 7.196/HTTP.QuickPlay][1 pkts/358 bytes <-> 1 pkts/109 bytes][Host: api-singtelhawk.quickplay.com] + 21 TCP 10.54.169.250:33277 <-> 120.28.26.231:80 [proto: 7.126/HTTP.Google][1 pkts/241 bytes <-> 1 pkts/137 bytes][Host: clients3.google.com] diff --git a/tests/result/rx.pcap.out b/tests/result/rx.pcap.out index 78c605549..3c37d1c31 100644 --- a/tests/result/rx.pcap.out +++ b/tests/result/rx.pcap.out @@ -1,7 +1,7 @@ RX 132 26475 5 - 1 UDP 131.114.219.168:38331 <-> 192.167.206.124:7002 [proto: 223/RX][2 pkts/441 bytes <-> 1 pkts/78 bytes] - 2 UDP 131.114.219.168:41559 <-> 192.167.206.124:7002 [proto: 223/RX][2 pkts/441 bytes <-> 1 pkts/78 bytes] - 3 UDP 131.114.219.168:7001 <-> 192.167.206.124:7003 [proto: 223/RX][18 pkts/1833 bytes <-> 9 pkts/8086 bytes] - 4 UDP 131.114.219.168:7001 <-> 192.167.206.241:7000 [proto: 223/RX][48 pkts/6808 bytes <-> 31 pkts/5568 bytes] - 5 UDP 131.114.219.168:7001 <-> 192.167.206.124:7000 [proto: 223/RX][10 pkts/2085 bytes <-> 10 pkts/1057 bytes] + 1 UDP 131.114.219.168:7001 <-> 192.167.206.241:7000 [proto: 223/RX][48 pkts/6808 bytes <-> 31 pkts/5568 bytes] + 2 UDP 131.114.219.168:7001 <-> 192.167.206.124:7003 [proto: 223/RX][18 pkts/1833 bytes <-> 9 pkts/8086 bytes] + 3 UDP 131.114.219.168:7001 <-> 192.167.206.124:7000 [proto: 223/RX][10 pkts/2085 bytes <-> 10 pkts/1057 bytes] + 4 UDP 131.114.219.168:38331 <-> 192.167.206.124:7002 [proto: 223/RX][2 pkts/441 bytes <-> 1 pkts/78 bytes] + 5 UDP 131.114.219.168:41559 <-> 192.167.206.124:7002 [proto: 223/RX][2 pkts/441 bytes <-> 1 pkts/78 bytes] diff --git a/tests/result/skype-conference-call.pcap.out b/tests/result/skype-conference-call.pcap.out index e69de29bb..4ae33d045 100644 --- a/tests/result/skype-conference-call.pcap.out +++ b/tests/result/skype-conference-call.pcap.out @@ -0,0 +1,3 @@ +Skype 200 39687 1 + + 1 UDP 192.168.2.20:49282 <-> 104.46.40.49:60642 [proto: 125/Skype][133 pkts/24845 bytes <-> 67 pkts/14842 bytes] diff --git a/tests/result/skype.pcap.out b/tests/result/skype.pcap.out index db8d030c0..891715428 100644 --- a/tests/result/skype.pcap.out +++ b/tests/result/skype.pcap.out @@ -5,307 +5,307 @@ NTP 2 180 1 SSDP 101 38156 6 ICMP 8 656 1 IGMP 5 258 4 -SSL 88 8268 6 +SSL 96 8876 7 Dropbox 38 17948 5 -Skype 2147 325017 250 +Skype 2139 324409 249 Apple 15 2045 2 AppleiCloud 88 20520 2 Spotify 5 430 1 MS_OneDrive 387 198090 1 - 1 TCP 192.168.1.34:50114 <-> 5.248.186.221:31010 [proto: 125/Skype][14 pkts/1040 bytes <-> 4 pkts/362 bytes] - 2 TCP 192.168.1.34:50118 <-> 5.248.186.221:31010 [proto: 125/Skype][18 pkts/2588 bytes <-> 13 pkts/2100 bytes] - 3 UDP 192.168.1.34:13021 -> 111.221.74.15:40024 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 4 UDP 192.168.1.34:13021 -> 111.221.77.160:40028 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 5 UDP 192.168.1.34:13021 -> 111.221.74.48:40008 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 6 UDP 192.168.1.34:13021 -> 111.221.74.42:40024 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 7 UDP 192.168.1.34:13021 -> 111.221.74.25:40028 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 8 UDP 192.168.1.34:13021 -> 111.221.74.17:40022 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 9 UDP 192.168.1.34:13021 -> 111.221.74.16:40032 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 10 UDP 192.168.1.34:13021 -> 111.221.74.28:40014 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 11 UDP 192.168.1.34:13021 -> 111.221.74.40:40018 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 12 UDP 192.168.1.34:13021 -> 111.221.74.29:40024 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 13 UDP 192.168.1.34:13021 -> 111.221.77.153:40024 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 14 UDP 192.168.1.34:13021 -> 111.221.77.141:40020 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 15 UDP 192.168.1.34:13021 -> 111.221.77.143:40022 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 16 UDP 192.168.1.34:13021 -> 111.221.77.149:40030 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 17 UDP 192.168.1.34:13021 -> 111.221.77.155:40004 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 18 UDP 192.168.1.34:13021 -> 111.221.77.172:40010 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 19 UDP 192.168.1.34:13021 -> 111.221.77.165:40020 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 20 UDP 192.168.1.34:13021 -> 111.221.77.176:40020 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 21 TCP 192.168.1.34:50110 <-> 91.190.216.125:12350 [proto: 125/Skype][3 pkts/191 bytes <-> 3 pkts/186 bytes] - 22 TCP 192.168.1.34:50126 <-> 91.190.216.23:12350 [proto: 125/Skype][16 pkts/4788 bytes <-> 4 pkts/372 bytes] - 23 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes -> 0 pkts/0 bytes] - 24 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes -> 0 pkts/0 bytes] - 25 TCP 192.168.1.34:50113 <-> 71.238.7.203:18767 [proto: 125/Skype][11 pkts/827 bytes <-> 3 pkts/325 bytes] - 26 TCP 192.168.1.34:50117 <-> 71.238.7.203:18767 [proto: 125/Skype][24 pkts/3136 bytes <-> 19 pkts/2618 bytes] - 27 TCP 192.168.1.34:50116 <-> 81.83.77.141:17639 [proto: 125/Skype][15 pkts/1138 bytes <-> 4 pkts/372 bytes] - 28 UDP 192.168.1.34:13021 -> 157.56.52.18:33033 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 29 TCP 192.168.1.34:50135 <-> 76.167.161.6:20274 [proto: 125/Skype][11 pkts/838 bytes <-> 3 pkts/270 bytes] - 30 TCP 192.168.1.34:50038 <-> 157.55.130.140:443 [proto: 91.125/SSL.Skype][12 pkts/1032 bytes <-> 3 pkts/230 bytes] - 31 TCP 192.168.1.34:50048 <-> 157.55.130.150:443 [proto: 91.125/SSL.Skype][12 pkts/1109 bytes <-> 3 pkts/236 bytes] - 32 TCP 192.168.1.34:50056 <-> 157.55.56.146:443 [proto: 91.125/SSL.Skype][11 pkts/999 bytes <-> 4 pkts/266 bytes] + 1 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][server: *.gateway.messenger.live.com] + 2 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][231 pkts/60232 bytes <-> 241 pkts/104395 bytes] + 3 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][79 pkts/29479 bytes -> 0 pkts/0 bytes] + 4 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/SSL.AppleiCloud][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][client: p05-keyvalueservice.icloud.com] + 5 TCP 192.168.1.34:50119 <-> 86.31.35.30:59621 [proto: 125/Skype][62 pkts/6941 bytes <-> 38 pkts/5325 bytes] + 6 UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/7281 bytes -> 0 pkts/0 bytes] + 7 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 91.121/SSL.Dropbox][8 pkts/1636 bytes <-> 8 pkts/4344 bytes] + 8 TCP 192.168.1.34:50117 <-> 71.238.7.203:18767 [proto: 125/Skype][24 pkts/3136 bytes <-> 19 pkts/2618 bytes] + 9 TCP 192.168.1.34:50126 <-> 91.190.216.23:12350 [proto: 125/Skype][16 pkts/4788 bytes <-> 4 pkts/372 bytes] + 10 TCP 192.168.1.34:50138 <-> 71.238.7.203:18767 [proto: 125/Skype][19 pkts/2797 bytes <-> 13 pkts/2175 bytes] + 11 TCP 192.168.1.34:50118 <-> 5.248.186.221:31010 [proto: 125/Skype][18 pkts/2588 bytes <-> 13 pkts/2100 bytes] + 12 TCP 192.168.1.34:50139 <-> 5.248.186.221:31010 [proto: 125/Skype][15 pkts/2395 bytes <-> 8 pkts/1724 bytes] + 13 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/SSL.Skype][17 pkts/3605 bytes <-> 1 pkts/74 bytes][client: apps.skypeassets.com] + 14 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][16 pkts/3461 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] + 15 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes -> 0 pkts/0 bytes] + 16 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes -> 0 pkts/0 bytes] + 17 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes -> 0 pkts/0 bytes] + 18 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes -> 0 pkts/0 bytes] + 19 TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][12 pkts/2140 bytes <-> 3 pkts/200 bytes][client: apps.skype.com] + 20 TCP 192.168.1.34:50134 <-> 157.56.53.47:12350 [proto: 125/Skype][11 pkts/1578 bytes <-> 4 pkts/342 bytes] + 21 TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 140/Apple][6 pkts/1211 bytes <-> 6 pkts/666 bytes] + 22 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][13 pkts/1554 bytes <-> 3 pkts/200 bytes] + 23 TCP 192.168.1.34:50122 <-> 81.133.19.185:44431 [proto: 125/Skype][14 pkts/1090 bytes <-> 6 pkts/534 bytes] + 24 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/SSL][13 pkts/1392 bytes <-> 3 pkts/200 bytes] + 25 TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/SSL.Skype][12 pkts/1305 bytes <-> 3 pkts/285 bytes] + 26 TCP 192.168.1.34:50037 <-> 157.55.56.170:443 [proto: 91.125/SSL.Skype][11 pkts/1218 bytes <-> 4 pkts/351 bytes] + 27 TCP 192.168.1.34:50080 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][12 pkts/1249 bytes <-> 3 pkts/285 bytes] + 28 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][11 pkts/955 bytes <-> 9 pkts/561 bytes] + 29 TCP 192.168.1.34:50081 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][12 pkts/1270 bytes <-> 3 pkts/243 bytes] + 30 TCP 192.168.1.34:50116 <-> 81.83.77.141:17639 [proto: 125/Skype][15 pkts/1138 bytes <-> 4 pkts/372 bytes] + 31 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125/Skype][14 pkts/1075 bytes <-> 4 pkts/431 bytes] + 32 TCP 192.168.1.34:50075 <-> 213.199.179.142:40003 [proto: 125/Skype][14 pkts/1100 bytes <-> 5 pkts/395 bytes] 33 TCP 192.168.1.34:50072 <-> 157.55.130.170:443 [proto: 91.125/SSL.Skype][12 pkts/1207 bytes <-> 3 pkts/277 bytes] - 34 TCP 192.168.1.34:50080 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][12 pkts/1249 bytes <-> 3 pkts/285 bytes] - 35 TCP 192.168.1.34:50094 <-> 157.55.130.155:443 [proto: 91.125/SSL.Skype][12 pkts/1039 bytes <-> 3 pkts/267 bytes] - 36 TCP 192.168.1.34:50078 <-> 157.55.130.173:443 [proto: 91.125/SSL.Skype][12 pkts/1088 bytes <-> 3 pkts/236 bytes] - 37 UDP 192.168.1.34:13021 -> 157.55.130.155:40020 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 38 UDP 192.168.1.34:13021 -> 157.56.52.28:40009 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 39 UDP 192.168.1.34:13021 -> 157.56.52.15:40027 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 40 UDP 192.168.1.34:13021 -> 157.56.52.24:40001 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 41 UDP 192.168.1.34:13021 -> 157.56.52.17:40013 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 42 UDP 192.168.1.34:13021 -> 157.56.52.27:40027 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 43 UDP 192.168.1.34:13021 -> 157.56.52.33:40011 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 44 UDP 192.168.1.34:13021 -> 157.55.235.143:40030 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 45 UDP 192.168.1.34:13021 -> 157.56.52.47:40029 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 46 UDP 192.168.1.34:13021 -> 157.55.130.144:40034 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 47 UDP 192.168.1.34:13021 -> 157.55.130.146:40026 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 48 UDP 192.168.1.34:13021 -> 157.55.235.145:40022 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 49 UDP 192.168.1.34:13021 -> 157.55.235.147:40020 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 50 UDP 192.168.1.34:13021 -> 157.55.56.148:40010 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 51 UDP 192.168.1.34:13021 -> 157.55.235.176:40022 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 52 UDP 192.168.1.34:13021 -> 157.55.130.175:40006 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 53 UDP 192.168.1.34:13021 -> 157.55.56.162:40004 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 54 UDP 192.168.1.34:13021 -> 157.55.56.161:40012 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 55 UDP 192.168.1.34:13021 -> 157.55.235.157:40010 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 56 UDP 192.168.1.34:13021 -> 157.55.130.156:40034 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 57 UDP 192.168.1.34:13021 -> 157.55.56.166:40022 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 58 UDP 192.168.1.34:13021 -> 157.55.130.165:40026 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 59 UDP 192.168.1.34:13021 -> 157.55.56.165:40020 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 60 UDP 192.168.1.34:13021 -> 157.55.235.173:40012 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 61 UDP 192.168.1.34:13021 -> 157.55.56.168:40006 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 62 UDP 192.168.1.34:13021 -> 157.55.235.172:40032 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 63 UDP 192.168.1.34:13021 -> 157.55.235.175:40008 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 64 UDP 192.168.1.34:13021 -> 65.55.223.39:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 65 TCP 192.168.1.34:50143 <-> 78.202.226.115:29059 [proto: 125/Skype][12 pkts/935 bytes <-> 2 pkts/197 bytes] - 66 UDP 192.168.1.34:49163 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] - 67 UDP 192.168.1.34:49793 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/532 bytes -> 0 pkts/0 bytes][Host: dsn4.d.skype.net] - 68 UDP 192.168.1.34:49903 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][9 pkts/648 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] - 69 TCP 192.168.1.34:50134 <-> 157.56.53.47:12350 [proto: 125/Skype][11 pkts/1578 bytes <-> 4 pkts/342 bytes] - 70 UDP 192.168.1.34:51879 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] - 71 UDP 192.168.1.34:54343 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] - 72 UDP 192.168.1.34:55159 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/651 bytes -> 0 pkts/0 bytes][Host: a.config.skype.trafficmanager.net] - 73 UDP 192.168.1.34:55711 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] - 74 UDP 192.168.1.34:55893 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][5 pkts/360 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] - 75 UDP 192.168.1.34:56387 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] - 76 UDP 192.168.1.34:13021 -> 213.199.179.150:40004 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 77 UDP 192.168.1.34:13021 -> 213.199.179.146:40030 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 78 UDP 192.168.1.34:13021 -> 213.199.179.143:40022 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 79 UDP 192.168.1.34:13021 -> 213.199.179.155:40004 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 80 UDP 192.168.1.34:13021 -> 213.199.179.154:40034 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 81 UDP 192.168.1.34:13021 -> 213.199.179.168:40006 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 82 UDP 192.168.1.34:58681 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/101 bytes <-> 1 pkts/166 bytes][Host: db3msgr5011709.gateway.messenger.live.com] - 83 TCP 192.168.1.34:50122 <-> 81.133.19.185:44431 [proto: 125/Skype][14 pkts/1090 bytes <-> 6 pkts/534 bytes] - 84 UDP 192.168.1.34:63321 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] - 85 UDP 192.168.1.34:49485 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] - 86 UDP 192.168.1.34:63421 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 87 UDP 192.168.1.34:64085 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e7768.b.akamaiedge.net] - 88 UDP 192.168.1.34:65045 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/532 bytes -> 0 pkts/0 bytes][Host: dsn4.d.skype.net] - 89 UDP 192.168.1.34:65037 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 90 TCP 192.168.1.34:50055 <-> 111.221.74.47:40030 [proto: 125/Skype][11 pkts/866 bytes <-> 5 pkts/396 bytes] - 91 TCP 192.168.1.34:50096 <-> 111.221.74.46:40027 [proto: 125/Skype][11 pkts/822 bytes <-> 4 pkts/390 bytes] - 92 TCP 192.168.1.34:50086 <-> 111.221.77.142:40023 [proto: 125/Skype][11 pkts/841 bytes <-> 5 pkts/429 bytes] - 93 TCP 192.168.1.34:50024 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/60 bytes] - 94 TCP 192.168.1.34:50128 <-> 17.172.100.36:443 [proto: 91.143/SSL.AppleiCloud][43 pkts/9635 bytes <-> 43 pkts/10651 bytes][client: p05-keyvalueservice.icloud.com] - 95 TCP 192.168.1.34:50027 <-> 23.223.73.34:443 [proto: 91.125/SSL.Skype][17 pkts/3605 bytes <-> 1 pkts/74 bytes][client: apps.skypeassets.com] - 96 TCP 192.168.1.34:50090 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][12 pkts/2140 bytes <-> 3 pkts/200 bytes][client: apps.skype.com] - 97 UDP 192.168.1.34:13021 -> 157.55.130.145:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 98 TCP 192.168.1.34:50088 <-> 157.55.235.146:33033 [proto: 125/Skype][14 pkts/1085 bytes <-> 4 pkts/315 bytes] - 99 UDP 192.168.1.34:13021 -> 106.188.249.186:15120 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 100 UDP 192.168.1.34:13021 -> 176.26.55.167:63773 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] - 101 TCP 17.143.160.22:5223 <-> 192.168.1.34:49447 [proto: 140/Apple][6 pkts/1211 bytes <-> 6 pkts/666 bytes] - 102 TCP 192.168.1.34:50032 <-> 157.56.52.44:40032 [proto: 125/Skype][12 pkts/969 bytes <-> 4 pkts/337 bytes] - 103 TCP 192.168.1.34:50034 <-> 157.55.130.140:40033 [proto: 125/Skype][13 pkts/1010 bytes <-> 4 pkts/390 bytes] - 104 TCP 192.168.1.34:50044 <-> 157.55.130.167:40031 [proto: 125/Skype][13 pkts/993 bytes <-> 4 pkts/360 bytes] - 105 TCP 192.168.1.34:50046 <-> 157.55.130.150:40011 [proto: 125/Skype][11 pkts/843 bytes <-> 4 pkts/386 bytes] - 106 TCP 192.168.1.34:50053 <-> 157.55.56.146:40030 [proto: 125/Skype][12 pkts/940 bytes <-> 5 pkts/415 bytes] - 107 TCP 192.168.1.34:50054 <-> 157.55.130.153:40005 [proto: 125/Skype][13 pkts/1020 bytes <-> 4 pkts/421 bytes] - 108 TCP 192.168.1.34:50074 <-> 157.55.130.173:40003 [proto: 125/Skype][13 pkts/1010 bytes <-> 4 pkts/317 bytes] - 109 TCP 192.168.1.34:50077 <-> 157.55.130.176:40022 [proto: 125/Skype][13 pkts/1004 bytes <-> 4 pkts/334 bytes] - 110 TCP 192.168.1.34:50097 <-> 157.55.235.176:40022 [proto: 125/Skype][13 pkts/1000 bytes <-> 4 pkts/371 bytes] - 111 UDP 192.168.1.34:13021 -> 65.55.223.18:33033 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 112 UDP 192.168.1.34:13021 -> 64.4.23.166:40022 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 113 UDP 192.168.1.34:13021 -> 64.4.23.165:40020 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 114 UDP 192.168.1.34:13021 -> 64.4.23.140:40012 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 115 UDP 192.168.1.34:13021 -> 64.4.23.150:40004 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 116 UDP 192.168.1.34:13021 -> 64.4.23.143:40018 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 117 UDP 192.168.1.34:13021 -> 64.4.23.141:40004 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 118 UDP 192.168.1.34:13021 -> 64.4.23.148:40010 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 119 UDP 192.168.1.34:13021 -> 64.4.23.145:40024 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 120 UDP 192.168.1.34:13021 -> 64.4.23.155:40004 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 121 UDP 192.168.1.34:13021 -> 64.4.23.168:40006 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 122 UDP 192.168.1.34:13021 -> 65.55.223.38:40015 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 123 UDP 192.168.1.34:13021 -> 65.55.223.20:40033 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 124 UDP 192.168.1.34:13021 -> 65.55.223.33:40011 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 125 UDP 192.168.1.34:13021 -> 65.55.223.21:40027 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 126 UDP 192.168.1.34:13021 -> 65.55.223.44:40013 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 127 UDP 192.168.1.34:13021 -> 65.55.223.41:40027 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 128 UDP 192.168.1.34:13021 -> 111.221.74.18:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 129 UDP 192.168.1.34:13021 -> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 130 TCP 192.168.1.34:50063 <-> 111.221.74.38:443 [proto: 91.125/SSL.Skype][10 pkts/1002 bytes <-> 3 pkts/285 bytes] - 131 TCP 192.168.1.34:50087 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][9 pkts/822 bytes <-> 3 pkts/285 bytes] - 132 UDP 192.168.1.34:13021 -> 76.185.207.12:45493 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] - 133 TCP 192.168.1.34:50137 <-> 5.248.186.221:31010 [proto: 125/Skype][14 pkts/1062 bytes <-> 4 pkts/383 bytes] - 134 TCP 192.168.1.34:50139 <-> 5.248.186.221:31010 [proto: 125/Skype][15 pkts/2395 bytes <-> 8 pkts/1724 bytes] - 135 UDP 192.168.1.34:13021 -> 111.221.77.142:40023 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 136 UDP 192.168.1.34:13021 -> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 137 UDP 192.168.1.34:13021 -> 111.221.74.24:40001 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 138 UDP 192.168.1.34:13021 -> 111.221.74.19:40001 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 139 UDP 192.168.1.34:13021 -> 111.221.74.12:40031 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 140 UDP 192.168.1.34:13021 -> 111.221.74.44:40031 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 141 UDP 192.168.1.34:13021 -> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 142 UDP 192.168.1.34:13021 -> 111.221.74.32:40009 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 143 UDP 192.168.1.34:13021 -> 111.221.74.31:40021 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 144 UDP 192.168.1.34:13021 -> 111.221.77.140:40003 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 145 UDP 192.168.1.34:13021 -> 111.221.77.145:40027 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 146 UDP 192.168.1.34:13021 -> 111.221.77.151:40027 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 147 UDP 192.168.1.34:13021 -> 111.221.77.148:40029 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 148 UDP 192.168.1.34:13021 -> 111.221.77.168:40007 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 149 UDP 192.168.1.34:13021 -> 111.221.77.166:40011 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 150 UDP 192.168.1.34:13021 -> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 151 UDP 192.168.1.34:13021 -> 111.221.77.159:40009 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 152 TCP 192.168.1.34:50109 <-> 91.190.216.125:12350 [proto: 125/Skype][3 pkts/297 bytes <-> 3 pkts/186 bytes] - 153 TCP 192.168.1.34:50125 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/417 bytes <-> 4 pkts/352 bytes] - 154 TCP 192.168.1.34:50129 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/353 bytes <-> 4 pkts/246 bytes] - 155 TCP 192.168.1.34:50136 <-> 71.238.7.203:18767 [proto: 125/Skype][11 pkts/814 bytes <-> 3 pkts/287 bytes] - 156 TCP 192.168.1.34:50138 <-> 71.238.7.203:18767 [proto: 125/Skype][19 pkts/2797 bytes <-> 13 pkts/2175 bytes] - 157 UDP 192.168.1.34:13021 -> 176.97.100.249:26635 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 158 UDP 192.168.1.34:13021 -> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 159 UDP 192.168.1.34:13021 -> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 160 UDP 192.168.1.34:13021 -> 157.55.56.146:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 161 TCP 192.168.1.34:50112 <-> 76.167.161.6:20274 [proto: 125/Skype][11 pkts/843 bytes <-> 4 pkts/411 bytes] - 162 TCP 192.168.1.34:50028 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][187 pkts/42539 bytes <-> 200 pkts/155551 bytes][server: *.gateway.messenger.live.com] - 163 TCP 192.168.1.34:50036 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][11 pkts/1074 bytes <-> 3 pkts/254 bytes] - 164 TCP 192.168.1.34:50037 <-> 157.55.56.170:443 [proto: 91.125/SSL.Skype][11 pkts/1218 bytes <-> 4 pkts/351 bytes] - 165 TCP 192.168.1.34:50045 <-> 157.55.130.167:443 [proto: 91.125/SSL.Skype][12 pkts/1151 bytes <-> 3 pkts/260 bytes] - 166 TCP 192.168.1.34:50051 <-> 157.55.130.166:443 [proto: 91.125/SSL.Skype][12 pkts/1074 bytes <-> 3 pkts/277 bytes] - 167 TCP 192.168.1.34:50057 <-> 157.55.130.153:443 [proto: 91.125/SSL.Skype][12 pkts/1102 bytes <-> 3 pkts/247 bytes] - 168 TCP 192.168.1.34:50091 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][13 pkts/1554 bytes <-> 3 pkts/200 bytes] - 169 TCP 192.168.1.34:50146 -> 157.56.53.51:443 [proto: 91.125/SSL.Skype][8 pkts/608 bytes -> 0 pkts/0 bytes] - 170 TCP 192.168.1.34:50069 <-> 157.55.56.160:443 [proto: 91.125/SSL.Skype][11 pkts/1050 bytes <-> 4 pkts/351 bytes] - 171 TCP 192.168.1.34:50081 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][12 pkts/1270 bytes <-> 3 pkts/243 bytes] - 172 TCP 192.168.1.34:50101 <-> 157.55.235.176:443 [proto: 91.125/SSL.Skype][12 pkts/1305 bytes <-> 3 pkts/285 bytes] - 173 UDP 192.168.1.34:13021 -> 157.55.130.160:40029 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 174 UDP 192.168.1.34:13021 -> 157.55.130.154:40005 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 175 UDP 192.168.1.34:13021 -> 157.56.52.45:40012 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 176 UDP 192.168.1.34:13021 -> 157.56.52.21:40004 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 177 UDP 192.168.1.34:13021 -> 157.56.52.26:40026 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 178 UDP 192.168.1.34:13021 -> 157.56.52.37:40032 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 179 UDP 192.168.1.34:13021 -> 157.55.235.142:40025 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 180 UDP 192.168.1.34:13021 -> 157.55.56.142:40023 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 181 UDP 192.168.1.34:13021 -> 157.55.235.152:40001 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 182 UDP 192.168.1.34:13021 -> 157.55.56.151:40027 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 183 UDP 192.168.1.34:13021 -> 157.55.56.145:40027 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 184 UDP 192.168.1.34:13021 -> 157.55.130.143:40017 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 185 UDP 192.168.1.34:13021 -> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 186 UDP 192.168.1.34:13021 -> 157.55.130.147:40019 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 187 UDP 192.168.1.34:13021 -> 157.55.130.151:40017 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 188 UDP 192.168.1.34:13021 -> 157.55.235.153:40023 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 189 UDP 192.168.1.34:13021 -> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 190 UDP 192.168.1.34:13021 -> 157.55.235.155:40003 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 191 UDP 192.168.1.34:13021 -> 157.55.235.158:40031 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 192 UDP 192.168.1.34:13021 -> 157.55.235.159:40021 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 193 UDP 192.168.1.34:13021 -> 157.55.56.175:40013 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 194 UDP 192.168.1.34:13021 -> 157.55.235.161:40011 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 195 UDP 192.168.1.34:13021 -> 157.55.235.160:40027 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 196 UDP 192.168.1.34:13021 -> 157.55.130.172:40019 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 197 UDP 192.168.1.34:13021 -> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 198 UDP 192.168.1.34:49360 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 199 TCP 192.168.1.34:50132 <-> 149.13.32.15:13392 [proto: 125/Skype][13 pkts/1010 bytes <-> 5 pkts/402 bytes] - 200 UDP 192.168.1.92:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][5 pkts/430 bytes -> 0 pkts/0 bytes] - 201 UDP 192.168.1.34:49990 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] - 202 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][6 pkts/3264 bytes -> 0 pkts/0 bytes] - 203 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][5 pkts/2720 bytes -> 0 pkts/0 bytes] - 204 UDP 192.168.1.34:13021 -> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 205 UDP 192.168.1.34:51802 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] - 206 UDP 192.168.1.34:52714 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] - 207 UDP 192.168.1.34:52850 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] - 208 UDP 192.168.1.34:52742 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] - 209 TCP 192.168.1.34:50039 <-> 213.199.179.175:443 [proto: 91/SSL][13 pkts/1392 bytes <-> 3 pkts/200 bytes] - 210 TCP 192.168.1.34:50079 <-> 213.199.179.142:443 [proto: 91/SSL][13 pkts/1176 bytes <-> 3 pkts/200 bytes] - 211 UDP 192.168.1.34:54396 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] - 212 TCP 192.168.1.34:50099 <-> 64.4.23.166:40022 [proto: 125/Skype][12 pkts/948 bytes <-> 4 pkts/407 bytes] - 213 TCP 192.168.1.34:50026 <-> 65.55.223.33:40002 [proto: 125/Skype][13 pkts/971 bytes <-> 4 pkts/399 bytes] - 214 TCP 192.168.1.34:50065 <-> 65.55.223.12:40031 [proto: 125/Skype][13 pkts/1004 bytes <-> 4 pkts/397 bytes] - 215 TCP 192.168.1.34:50098 <-> 65.55.223.15:40026 [proto: 125/Skype][13 pkts/995 bytes <-> 4 pkts/386 bytes] - 216 UDP 192.168.1.34:57288 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] - 217 UDP 192.168.1.34:57406 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] - 218 UDP 192.168.1.34:57726 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 219 UDP 192.168.1.34:13021 -> 213.199.179.165:40007 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 220 UDP 192.168.1.34:13021 -> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 34 TCP 192.168.1.34:50066 <-> 65.55.223.12:443 [proto: 91/SSL][12 pkts/1221 bytes <-> 3 pkts/231 bytes] + 35 TCP 192.168.1.34:50137 <-> 5.248.186.221:31010 [proto: 125/Skype][14 pkts/1062 bytes <-> 4 pkts/383 bytes] + 36 TCP 192.168.1.34:50076 <-> 157.55.235.156:40014 [proto: 125/Skype][14 pkts/1083 bytes <-> 4 pkts/359 bytes] + 37 TCP 192.168.1.34:50054 <-> 157.55.130.153:40005 [proto: 125/Skype][13 pkts/1020 bytes <-> 4 pkts/421 bytes] + 38 TCP 192.168.1.34:50132 <-> 149.13.32.15:13392 [proto: 125/Skype][13 pkts/1010 bytes <-> 5 pkts/402 bytes] + 39 TCP 192.168.1.34:50045 <-> 157.55.130.167:443 [proto: 91.125/SSL.Skype][12 pkts/1151 bytes <-> 3 pkts/260 bytes] + 40 TCP 192.168.1.34:50114 <-> 5.248.186.221:31010 [proto: 125/Skype][14 pkts/1040 bytes <-> 4 pkts/362 bytes] + 41 TCP 192.168.1.34:50065 <-> 65.55.223.12:40031 [proto: 125/Skype][13 pkts/1004 bytes <-> 4 pkts/397 bytes] + 42 TCP 192.168.1.34:50069 <-> 157.55.56.160:443 [proto: 91.125/SSL.Skype][11 pkts/1050 bytes <-> 4 pkts/351 bytes] + 43 TCP 192.168.1.34:50034 <-> 157.55.130.140:40033 [proto: 125/Skype][13 pkts/1010 bytes <-> 4 pkts/390 bytes] + 44 TCP 192.168.1.34:50088 <-> 157.55.235.146:33033 [proto: 125/Skype][14 pkts/1085 bytes <-> 4 pkts/315 bytes] + 45 TCP 192.168.1.34:50102 <-> 65.55.223.15:443 [proto: 91/SSL][11 pkts/1140 bytes <-> 3 pkts/250 bytes] + 46 TCP 192.168.1.34:50092 <-> 157.55.130.155:40020 [proto: 125/Skype][13 pkts/975 bytes <-> 4 pkts/412 bytes] + 47 TCP 192.168.1.34:50115 <-> 86.31.35.30:59621 [proto: 125/Skype][13 pkts/995 bytes <-> 4 pkts/391 bytes] + 48 TCP 192.168.1.34:50098 <-> 65.55.223.15:40026 [proto: 125/Skype][13 pkts/995 bytes <-> 4 pkts/386 bytes] + 49 TCP 192.168.1.34:50130 <-> 212.161.8.36:13392 [proto: 125/Skype][13 pkts/1000 bytes <-> 4 pkts/380 bytes] + 50 TCP 192.168.1.34:50079 <-> 213.199.179.142:443 [proto: 91/SSL][13 pkts/1176 bytes <-> 3 pkts/200 bytes] + 51 TCP 192.168.1.34:50097 <-> 157.55.235.176:40022 [proto: 125/Skype][13 pkts/1000 bytes <-> 4 pkts/371 bytes] + 52 TCP 192.168.1.34:50026 <-> 65.55.223.33:40002 [proto: 125/Skype][13 pkts/971 bytes <-> 4 pkts/399 bytes] + 53 TCP 192.168.1.34:50033 <-> 157.55.56.170:40015 [proto: 125/Skype][13 pkts/977 bytes <-> 4 pkts/384 bytes] + 54 TCP 192.168.1.34:50053 <-> 157.55.56.146:40030 [proto: 125/Skype][12 pkts/940 bytes <-> 5 pkts/415 bytes] + 55 TCP 192.168.1.34:50099 <-> 64.4.23.166:40022 [proto: 125/Skype][12 pkts/948 bytes <-> 4 pkts/407 bytes] + 56 TCP 192.168.1.34:50044 <-> 157.55.130.167:40031 [proto: 125/Skype][13 pkts/993 bytes <-> 4 pkts/360 bytes] + 57 TCP 192.168.1.34:50051 <-> 157.55.130.166:443 [proto: 91.125/SSL.Skype][12 pkts/1074 bytes <-> 3 pkts/277 bytes] + 58 TCP 192.168.1.34:50057 <-> 157.55.130.153:443 [proto: 91.125/SSL.Skype][12 pkts/1102 bytes <-> 3 pkts/247 bytes] + 59 TCP 192.168.1.34:50048 <-> 157.55.130.150:443 [proto: 91.125/SSL.Skype][12 pkts/1109 bytes <-> 3 pkts/236 bytes] + 60 TCP 192.168.1.34:50077 <-> 157.55.130.176:40022 [proto: 125/Skype][13 pkts/1004 bytes <-> 4 pkts/334 bytes] + 61 TCP 192.168.1.34:50036 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][11 pkts/1074 bytes <-> 3 pkts/254 bytes] + 62 TCP 192.168.1.34:50074 <-> 157.55.130.173:40003 [proto: 125/Skype][13 pkts/1010 bytes <-> 4 pkts/317 bytes] + 63 TCP 192.168.1.34:50078 <-> 157.55.130.173:443 [proto: 91.125/SSL.Skype][12 pkts/1088 bytes <-> 3 pkts/236 bytes] + 64 TCP 192.168.1.34:50070 <-> 157.55.130.170:40018 [proto: 125/Skype][13 pkts/989 bytes <-> 4 pkts/323 bytes] + 65 TCP 192.168.1.34:50030 <-> 65.55.223.33:443 [proto: 91/SSL][11 pkts/960 bytes <-> 4 pkts/351 bytes] + 66 TCP 192.168.1.34:50032 <-> 157.56.52.44:40032 [proto: 125/Skype][12 pkts/969 bytes <-> 4 pkts/337 bytes] + 67 TCP 192.168.1.34:50094 <-> 157.55.130.155:443 [proto: 91.125/SSL.Skype][12 pkts/1039 bytes <-> 3 pkts/267 bytes] + 68 TCP 192.168.1.34:50067 <-> 157.55.56.160:40027 [proto: 125/Skype][12 pkts/899 bytes <-> 5 pkts/406 bytes] + 69 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125/Skype][13 pkts/982 bytes <-> 4 pkts/322 bytes] + 70 TCP 192.168.1.34:50063 <-> 111.221.74.38:443 [proto: 91.125/SSL.Skype][10 pkts/1002 bytes <-> 3 pkts/285 bytes] + 71 TCP 192.168.1.34:50049 <-> 157.55.130.166:40021 [proto: 125/Skype][11 pkts/836 bytes <-> 5 pkts/442 bytes] + 72 TCP 192.168.1.34:50086 <-> 111.221.77.142:40023 [proto: 125/Skype][11 pkts/841 bytes <-> 5 pkts/429 bytes] + 73 TCP 192.168.1.34:50056 <-> 157.55.56.146:443 [proto: 91.125/SSL.Skype][11 pkts/999 bytes <-> 4 pkts/266 bytes] + 74 TCP 192.168.1.34:50038 <-> 157.55.130.140:443 [proto: 91.125/SSL.Skype][12 pkts/1032 bytes <-> 3 pkts/230 bytes] + 75 TCP 192.168.1.34:50055 <-> 111.221.74.47:40030 [proto: 125/Skype][11 pkts/866 bytes <-> 5 pkts/396 bytes] + 76 TCP 192.168.1.34:50112 <-> 76.167.161.6:20274 [proto: 125/Skype][11 pkts/843 bytes <-> 4 pkts/411 bytes] + 77 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125/Skype][13 pkts/994 bytes <-> 2 pkts/243 bytes] + 78 TCP 192.168.1.34:50059 <-> 111.221.74.38:40015 [proto: 125/Skype][11 pkts/820 bytes <-> 5 pkts/416 bytes] + 79 TCP 192.168.1.34:50046 <-> 157.55.130.150:40011 [proto: 125/Skype][11 pkts/843 bytes <-> 4 pkts/386 bytes] + 80 TCP 192.168.1.34:50096 <-> 111.221.74.46:40027 [proto: 125/Skype][11 pkts/822 bytes <-> 4 pkts/390 bytes] + 81 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 91.125/SSL.Skype][10 pkts/857 bytes <-> 4 pkts/351 bytes] + 82 TCP 192.168.1.34:50113 <-> 71.238.7.203:18767 [proto: 125/Skype][11 pkts/827 bytes <-> 3 pkts/325 bytes] + 83 TCP 192.168.1.34:50103 <-> 64.4.23.166:443 [proto: 91/SSL][9 pkts/862 bytes <-> 3 pkts/285 bytes] + 84 TCP 192.168.1.34:50143 <-> 78.202.226.115:29059 [proto: 125/Skype][12 pkts/935 bytes <-> 2 pkts/197 bytes] + 85 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 91.125/SSL.Skype][10 pkts/872 bytes <-> 3 pkts/237 bytes] + 86 TCP 192.168.1.34:50135 <-> 76.167.161.6:20274 [proto: 125/Skype][11 pkts/838 bytes <-> 3 pkts/270 bytes] + 87 TCP 192.168.1.34:50087 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][9 pkts/822 bytes <-> 3 pkts/285 bytes] + 88 TCP 192.168.1.34:50136 <-> 71.238.7.203:18767 [proto: 125/Skype][11 pkts/814 bytes <-> 3 pkts/287 bytes] + 89 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][4 pkts/908 bytes -> 0 pkts/0 bytes] + 90 UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][4 pkts/828 bytes -> 0 pkts/0 bytes] + 91 TCP 192.168.1.34:50125 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/417 bytes <-> 4 pkts/352 bytes] + 92 ICMP 192.168.1.1:0 -> 192.168.1.34:0 [proto: 81/ICMP][8 pkts/656 bytes -> 0 pkts/0 bytes] + 93 UDP 192.168.1.34:63108 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/651 bytes -> 0 pkts/0 bytes][Host: a.config.skype.trafficmanager.net] + 94 UDP 192.168.1.34:55159 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/651 bytes -> 0 pkts/0 bytes][Host: a.config.skype.trafficmanager.net] + 95 UDP 192.168.1.34:52850 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] + 96 UDP 192.168.1.34:49903 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][9 pkts/648 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] + 97 UDP 192.168.1.34:55711 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] + 98 UDP 192.168.1.34:58458 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 99 UDP 192.168.1.34:60288 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 100 UDP 192.168.1.34:65037 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 101 UDP 192.168.1.34:54343 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] + 102 UDP 192.168.1.34:57726 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 103 UDP 192.168.1.34:63421 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 104 UDP 192.168.1.34:49360 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 105 UDP 192.168.1.34:58368 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] + 106 UDP 192.168.1.34:57288 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] + 107 UDP 192.168.1.34:56387 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] + 108 UDP 192.168.1.34:52742 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst5.r.skype.net] + 109 UDP 192.168.1.34:49990 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst6.r.skype.net] + 110 TCP 192.168.1.34:50146 -> 157.56.53.51:443 [proto: 91/SSL][8 pkts/608 bytes -> 0 pkts/0 bytes] + 111 TCP 192.168.1.34:50129 <-> 91.190.218.125:12350 [proto: 125/Skype][6 pkts/353 bytes <-> 4 pkts/246 bytes] + 112 UDP 192.168.1.34:51802 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] + 113 UDP 192.168.1.34:49163 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] + 114 UDP 192.168.1.34:52714 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] + 115 UDP 192.168.1.34:57406 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] + 116 UDP 192.168.1.34:65045 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/532 bytes -> 0 pkts/0 bytes][Host: dsn4.d.skype.net] + 117 UDP 192.168.1.34:49793 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/532 bytes -> 0 pkts/0 bytes][Host: dsn4.d.skype.net] + 118 UDP 192.168.1.34:54396 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] + 119 UDP 192.168.1.34:65426 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] + 120 TCP 192.168.1.34:50109 <-> 91.190.216.125:12350 [proto: 125/Skype][3 pkts/297 bytes <-> 3 pkts/186 bytes] + 121 UDP 192.168.1.92:57621 -> 192.168.1.255:57621 [proto: 156/Spotify][5 pkts/430 bytes -> 0 pkts/0 bytes] + 122 TCP 192.168.1.34:50110 <-> 91.190.216.125:12350 [proto: 125/Skype][3 pkts/191 bytes <-> 3 pkts/186 bytes] + 123 UDP 192.168.1.34:55893 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][5 pkts/360 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] + 124 UDP 192.168.1.34:49485 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] + 125 UDP 192.168.1.34:56886 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] + 126 UDP 192.168.1.34:51066 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] + 127 UDP 192.168.1.34:64560 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] + 128 UDP 192.168.1.34:13021 -> 76.185.207.12:45493 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] + 129 UDP 192.168.1.34:13021 -> 176.26.55.167:63773 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] + 130 UDP 192.168.1.34:58681 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/101 bytes <-> 1 pkts/166 bytes][Host: db3msgr5011709.gateway.messenger.live.com] + 131 UDP 192.168.1.34:62454 <-> 192.168.1.1:53 [proto: 5.143/DNS.AppleiCloud][1 pkts/101 bytes <-> 1 pkts/133 bytes][Host: p05-keyvalueservice.icloud.com.akadns.net] + 132 UDP 192.168.1.34:63321 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] + 133 UDP 192.168.1.34:64085 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e7768.b.akamaiedge.net] + 134 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][1 pkts/90 bytes <-> 1 pkts/90 bytes] + 135 UDP 192.168.1.34:51879 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] + 136 TCP 192.168.1.34:50024 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/60 bytes] + 137 IGMP 192.168.0.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][2 pkts/92 bytes -> 0 pkts/0 bytes] + 138 UDP 192.168.1.34:13021 -> 64.4.23.145:40024 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 139 UDP 192.168.1.34:13021 -> 65.55.223.33:40011 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 140 UDP 192.168.1.34:13021 -> 157.55.130.154:40005 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 141 UDP 192.168.1.34:13021 -> 157.55.56.168:40006 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 142 UDP 192.168.1.34:13021 -> 157.55.235.152:40001 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 143 UDP 192.168.1.34:13021 -> 157.55.235.147:40020 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 144 UDP 192.168.1.34:13021 -> 65.55.223.26:40004 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 145 UDP 192.168.1.34:13021 -> 213.199.179.155:40004 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 146 UDP 192.168.1.34:13021 -> 157.55.130.146:40026 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 147 UDP 192.168.1.34:13021 -> 111.221.77.172:40010 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 148 UDP 192.168.1.34:13021 -> 157.55.130.156:40034 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 149 UDP 192.168.1.34:13021 -> 157.56.52.27:40027 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 150 UDP 192.168.1.34:13021 -> 157.55.235.176:40022 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 151 UDP 192.168.1.34:13021 -> 157.55.235.161:40011 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 152 UDP 192.168.1.34:13021 -> 111.221.74.28:40014 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 153 UDP 192.168.1.34:13021 -> 157.56.52.28:40009 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 154 UDP 192.168.1.34:13021 -> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 155 UDP 192.168.1.34:13021 -> 111.221.77.159:40009 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 156 UDP 192.168.1.34:13021 -> 111.221.77.155:40004 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 157 UDP 192.168.1.34:13021 -> 111.221.77.166:40011 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 158 UDP 192.168.1.34:13021 -> 65.55.223.29:40010 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 159 UDP 192.168.1.34:13021 -> 64.4.23.155:40004 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 160 UDP 192.168.1.34:13021 -> 111.221.74.15:40024 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 161 UDP 192.168.1.34:13021 -> 157.55.56.151:40027 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 162 UDP 192.168.1.34:13021 -> 157.55.56.175:40013 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 163 UDP 192.168.1.34:13021 -> 111.221.77.145:40027 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 164 UDP 192.168.1.34:13021 -> 64.4.23.143:40018 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 165 UDP 192.168.1.34:13021 -> 157.55.130.143:40017 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 166 UDP 192.168.1.34:13021 -> 157.55.235.155:40003 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 167 UDP 192.168.1.34:13021 -> 157.55.56.142:40023 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 168 UDP 192.168.1.34:13021 -> 157.56.52.17:40013 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 169 UDP 192.168.1.34:13021 -> 65.55.223.25:40028 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 170 UDP 192.168.1.34:13021 -> 157.55.56.162:40004 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 171 UDP 192.168.1.34:13021 -> 64.4.23.166:40022 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 172 UDP 192.168.1.34:13021 -> 157.55.130.147:40019 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 173 UDP 192.168.1.34:13021 -> 157.55.235.175:40008 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 174 UDP 192.168.1.34:13021 -> 65.55.223.43:40002 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 175 UDP 192.168.1.34:13021 -> 213.199.179.150:40004 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 176 UDP 192.168.1.34:13021 -> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 177 UDP 192.168.1.34:13021 -> 111.221.77.151:40027 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 178 UDP 192.168.1.34:13021 -> 111.221.74.48:40008 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 179 UDP 192.168.1.34:13021 -> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 180 UDP 192.168.1.34:13021 -> 213.199.179.143:40022 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 181 UDP 192.168.1.34:13021 -> 213.199.179.154:40034 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 182 UDP 192.168.1.34:13021 -> 111.221.77.165:40020 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 183 UDP 192.168.1.34:13021 -> 111.221.74.12:40031 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 184 UDP 192.168.1.34:13021 -> 111.221.74.40:40018 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 185 UDP 192.168.1.34:13021 -> 213.199.179.165:40007 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 186 UDP 192.168.1.34:13021 -> 157.56.52.26:40026 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 187 UDP 192.168.1.34:13021 -> 65.55.223.28:40026 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 188 UDP 192.168.1.34:13021 -> 157.55.130.175:40006 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 189 UDP 192.168.1.34:13021 -> 111.221.77.176:40020 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 190 UDP 192.168.1.34:13021 -> 64.4.23.141:40004 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 191 UDP 192.168.1.34:13021 -> 111.221.74.29:40024 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 192 UDP 192.168.1.34:13021 -> 157.55.235.153:40023 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 193 UDP 192.168.1.34:13021 -> 213.199.179.168:40006 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 194 UDP 192.168.1.34:13021 -> 111.221.74.31:40021 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 195 UDP 192.168.1.34:13021 -> 111.221.77.142:40023 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 196 UDP 192.168.1.34:13021 -> 64.4.23.165:40020 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 197 UDP 192.168.1.34:13021 -> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 198 UDP 192.168.1.34:13021 -> 157.55.130.151:40017 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 199 UDP 192.168.1.34:13021 -> 64.4.23.168:40006 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 200 UDP 192.168.1.34:13021 -> 157.55.56.148:40010 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 201 UDP 192.168.1.34:13021 -> 111.221.74.44:40031 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 202 UDP 192.168.1.34:13021 -> 157.55.235.157:40010 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 203 UDP 192.168.1.34:13021 -> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 204 UDP 192.168.1.34:13021 -> 157.55.235.172:40032 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 205 UDP 192.168.1.34:13021 -> 111.221.77.153:40024 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 206 UDP 192.168.1.34:13021 -> 157.56.52.18:33033 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 207 UDP 192.168.1.34:13021 -> 65.55.223.45:40012 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 208 UDP 192.168.1.34:13021 -> 213.199.179.170:40011 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 209 UDP 192.168.1.34:13021 -> 65.55.223.21:40027 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 210 UDP 192.168.1.34:13021 -> 64.4.23.159:40009 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 211 UDP 192.168.1.34:13021 -> 111.221.74.18:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 212 UDP 192.168.1.34:13021 -> 157.55.130.165:40026 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 213 UDP 192.168.1.34:13021 -> 111.221.74.32:40009 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 214 UDP 192.168.1.34:13021 -> 111.221.74.42:40024 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 215 UDP 192.168.1.34:13021 -> 65.55.223.17:40022 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 216 UDP 192.168.1.34:13021 -> 64.4.23.150:40004 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 217 UDP 192.168.1.34:13021 -> 157.55.130.155:40020 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 218 UDP 192.168.1.34:13021 -> 157.56.52.33:40011 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 219 UDP 192.168.1.34:13021 -> 157.55.56.161:40012 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 220 UDP 192.168.1.34:13021 -> 157.55.235.142:40025 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] 221 UDP 192.168.1.34:13021 -> 213.199.179.162:40029 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 222 UDP 192.168.1.34:13021 -> 213.199.179.152:40023 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 223 UDP 192.168.1.34:13021 -> 213.199.179.145:40027 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 224 UDP 192.168.1.34:13021 -> 213.199.179.170:40011 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 225 UDP 192.168.1.34:58458 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 226 UDP 192.168.1.34:58368 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst13.r.skype.net] - 227 UDP 192.168.1.34:60288 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 228 ICMP 192.168.1.1:0 -> 192.168.1.34:0 [proto: 81/ICMP][8 pkts/656 bytes -> 0 pkts/0 bytes] - 229 UDP 192.168.1.34:62454 <-> 192.168.1.1:53 [proto: 5.143/DNS.AppleiCloud][1 pkts/101 bytes <-> 1 pkts/133 bytes][Host: p05-keyvalueservice.icloud.com.akadns.net] - 230 UDP 192.168.1.34:63108 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/651 bytes -> 0 pkts/0 bytes][Host: a.config.skype.trafficmanager.net] - 231 UDP 192.168.1.92:50084 -> 239.255.255.250:1900 [proto: 12/SSDP][14 pkts/7281 bytes -> 0 pkts/0 bytes] - 232 UDP 192.168.1.34:51066 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] - 233 UDP 192.168.1.34:65426 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] - 234 TCP 192.168.1.34:50130 <-> 212.161.8.36:13392 [proto: 125/Skype][13 pkts/1000 bytes <-> 4 pkts/380 bytes] - 235 TCP 192.168.1.34:50059 <-> 111.221.74.38:40015 [proto: 125/Skype][11 pkts/820 bytes <-> 5 pkts/416 bytes] - 236 TCP 192.168.1.34:50029 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][16 pkts/3461 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] - 237 IGMP 192.168.0.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][2 pkts/92 bytes -> 0 pkts/0 bytes] - 238 IGMP 192.168.1.92:0 -> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 239 IGMP 192.168.1.1:0 -> 224.0.0.1:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 240 IGMP 192.168.1.34:0 -> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/46 bytes -> 0 pkts/0 bytes] - 241 UDP 192.168.1.34:56886 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] - 242 TCP 192.168.1.34:50033 <-> 157.55.56.170:40015 [proto: 125/Skype][13 pkts/977 bytes <-> 4 pkts/384 bytes] - 243 TCP 192.168.1.34:50049 <-> 157.55.130.166:40021 [proto: 125/Skype][11 pkts/836 bytes <-> 5 pkts/442 bytes] - 244 TCP 192.168.1.34:50067 <-> 157.55.56.160:40027 [proto: 125/Skype][12 pkts/899 bytes <-> 5 pkts/406 bytes] - 245 TCP 192.168.1.34:50076 <-> 157.55.235.156:40014 [proto: 125/Skype][14 pkts/1083 bytes <-> 4 pkts/359 bytes] - 246 TCP 192.168.1.34:50092 <-> 157.55.130.155:40020 [proto: 125/Skype][13 pkts/975 bytes <-> 4 pkts/412 bytes] - 247 TCP 192.168.1.34:50108 <-> 157.56.52.28:40009 [proto: 125/Skype][231 pkts/60232 bytes <-> 241 pkts/104395 bytes] - 248 TCP 192.168.1.34:50070 <-> 157.55.130.170:40018 [proto: 125/Skype][13 pkts/989 bytes <-> 4 pkts/323 bytes] - 249 UDP 192.168.1.34:64560 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] - 250 UDP 192.168.1.34:13021 -> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 251 TCP 192.168.1.34:50115 <-> 86.31.35.30:59621 [proto: 125/Skype][13 pkts/995 bytes <-> 4 pkts/391 bytes] - 252 TCP 192.168.1.34:50119 <-> 86.31.35.30:59621 [proto: 125/Skype][62 pkts/6941 bytes <-> 38 pkts/5325 bytes] - 253 TCP 192.168.1.34:50103 <-> 64.4.23.166:443 [proto: 91/SSL][9 pkts/862 bytes <-> 3 pkts/285 bytes] - 254 TCP 192.168.1.34:50030 <-> 65.55.223.33:443 [proto: 91/SSL][11 pkts/960 bytes <-> 4 pkts/351 bytes] - 255 TCP 192.168.1.34:50066 <-> 65.55.223.12:443 [proto: 91/SSL][12 pkts/1221 bytes <-> 3 pkts/231 bytes] - 256 TCP 192.168.1.34:50102 <-> 65.55.223.15:443 [proto: 91/SSL][11 pkts/1140 bytes <-> 3 pkts/250 bytes] - 257 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][79 pkts/29479 bytes -> 0 pkts/0 bytes] - 258 UDP 192.168.1.34:13021 -> 71.62.0.85:33647 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 259 UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][4 pkts/828 bytes -> 0 pkts/0 bytes] - 260 UDP 192.168.1.34:13021 -> 64.4.23.159:40009 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 261 UDP 192.168.1.34:13021 -> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 262 UDP 192.168.1.34:13021 -> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 263 UDP 192.168.1.34:13021 -> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 264 UDP 192.168.1.34:13021 -> 65.55.223.15:40026 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 265 UDP 192.168.1.34:13021 -> 65.55.223.43:40002 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 266 UDP 192.168.1.34:13021 -> 65.55.223.17:40022 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 267 UDP 192.168.1.34:13021 -> 65.55.223.25:40028 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 268 UDP 192.168.1.34:13021 -> 65.55.223.24:40032 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 269 UDP 192.168.1.34:13021 -> 65.55.223.28:40026 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 270 UDP 192.168.1.34:13021 -> 65.55.223.26:40004 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 271 UDP 192.168.1.34:13021 -> 65.55.223.29:40010 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 272 UDP 192.168.1.34:13021 -> 65.55.223.45:40012 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 273 UDP 192.168.1.34:123 <-> 17.253.48.245:123 [proto: 9/NTP][1 pkts/90 bytes <-> 1 pkts/90 bytes] - 274 TCP 192.168.1.34:50111 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][11 pkts/955 bytes <-> 9 pkts/561 bytes] - 275 TCP 192.168.1.34:50123 <-> 80.14.46.121:4415 [proto: 125/Skype][14 pkts/1075 bytes <-> 4 pkts/431 bytes] - 276 TCP 192.168.1.34:50141 <-> 80.14.46.121:4415 [proto: 125/Skype][13 pkts/994 bytes <-> 2 pkts/243 bytes] - 277 TCP 108.160.170.46:443 <-> 192.168.1.34:49445 [proto: 91.121/SSL.Dropbox][8 pkts/1636 bytes <-> 8 pkts/4344 bytes] - 278 TCP 192.168.1.34:50058 <-> 111.221.74.47:443 [proto: 91.125/SSL.Skype][10 pkts/857 bytes <-> 4 pkts/351 bytes] - 279 TCP 192.168.1.34:50100 <-> 111.221.74.46:443 [proto: 91.125/SSL.Skype][10 pkts/872 bytes <-> 3 pkts/237 bytes] - 280 TCP 192.168.1.34:50035 <-> 213.199.179.175:40021 [proto: 125/Skype][13 pkts/982 bytes <-> 4 pkts/322 bytes] - 281 TCP 192.168.1.34:50075 <-> 213.199.179.142:40003 [proto: 125/Skype][14 pkts/1100 bytes <-> 5 pkts/395 bytes] - 282 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][4 pkts/908 bytes -> 0 pkts/0 bytes] + 222 UDP 192.168.1.34:13021 -> 157.55.56.146:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 223 UDP 192.168.1.34:13021 -> 111.221.74.17:40022 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 224 UDP 192.168.1.34:13021 -> 157.56.52.37:40032 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 225 UDP 192.168.1.34:13021 -> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 226 UDP 192.168.1.34:13021 -> 65.55.223.41:40027 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 227 UDP 192.168.1.34:13021 -> 64.4.23.148:40010 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 228 UDP 192.168.1.34:13021 -> 157.55.235.160:40027 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 229 UDP 192.168.1.34:13021 -> 111.221.77.148:40029 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 230 UDP 192.168.1.34:13021 -> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 231 UDP 192.168.1.34:13021 -> 65.55.223.18:33033 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 232 UDP 192.168.1.34:13021 -> 157.55.235.143:40030 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 233 UDP 192.168.1.34:13021 -> 157.55.56.165:40020 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 234 UDP 192.168.1.34:13021 -> 157.55.56.145:40027 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 235 UDP 192.168.1.34:13021 -> 157.55.235.145:40022 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 236 UDP 192.168.1.34:13021 -> 111.221.77.160:40028 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 237 UDP 192.168.1.34:13021 -> 157.56.52.15:40027 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 238 UDP 192.168.1.34:13021 -> 64.4.23.140:40012 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 239 UDP 192.168.1.34:13021 -> 111.221.74.19:40001 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 240 UDP 192.168.1.34:13021 -> 111.221.77.168:40007 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 241 UDP 192.168.1.34:13021 -> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 242 UDP 192.168.1.34:13021 -> 157.56.52.45:40012 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 243 UDP 192.168.1.34:13021 -> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 244 UDP 192.168.1.34:13021 -> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 245 UDP 192.168.1.34:13021 -> 111.221.77.141:40020 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 246 UDP 192.168.1.34:13021 -> 65.55.223.24:40032 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 247 UDP 192.168.1.34:13021 -> 111.221.74.16:40032 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 248 UDP 192.168.1.34:13021 -> 111.221.77.149:40030 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 249 UDP 192.168.1.34:13021 -> 157.55.130.160:40029 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 250 UDP 192.168.1.34:13021 -> 213.199.179.146:40030 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 251 UDP 192.168.1.34:13021 -> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 252 UDP 192.168.1.34:13021 -> 157.55.130.172:40019 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 253 UDP 192.168.1.34:13021 -> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 254 UDP 192.168.1.34:13021 -> 65.55.223.38:40015 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 255 UDP 192.168.1.34:13021 -> 65.55.223.15:40026 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 256 UDP 192.168.1.34:13021 -> 213.199.179.145:40027 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 257 UDP 192.168.1.34:13021 -> 157.55.130.144:40034 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 258 UDP 192.168.1.34:13021 -> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 259 UDP 192.168.1.34:13021 -> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 260 UDP 192.168.1.34:13021 -> 111.221.74.25:40028 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 261 UDP 192.168.1.34:13021 -> 111.221.77.143:40022 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 262 UDP 192.168.1.34:13021 -> 65.55.223.44:40013 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 263 UDP 192.168.1.34:13021 -> 157.55.235.173:40012 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 264 UDP 192.168.1.34:13021 -> 157.56.52.47:40029 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 265 UDP 192.168.1.34:13021 -> 157.55.56.166:40022 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 266 UDP 192.168.1.34:13021 -> 157.56.52.24:40001 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 267 UDP 192.168.1.34:13021 -> 213.199.179.152:40023 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 268 UDP 192.168.1.34:13021 -> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 269 UDP 192.168.1.34:13021 -> 157.55.235.159:40021 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 270 UDP 192.168.1.34:13021 -> 157.55.235.158:40031 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 271 UDP 192.168.1.34:13021 -> 65.55.223.20:40033 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 272 UDP 192.168.1.34:13021 -> 157.56.52.21:40004 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 273 UDP 192.168.1.34:13021 -> 111.221.77.140:40003 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 274 UDP 192.168.1.34:13021 -> 111.221.74.24:40001 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 275 IGMP 192.168.1.92:0 -> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 276 IGMP 192.168.1.1:0 -> 224.0.0.1:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 277 UDP 192.168.1.34:13021 -> 157.55.130.145:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 278 UDP 192.168.1.34:13021 -> 65.55.223.39:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 279 UDP 192.168.1.34:13021 -> 176.97.100.249:26635 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 280 UDP 192.168.1.34:13021 -> 106.188.249.186:15120 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 281 UDP 192.168.1.34:13021 -> 71.62.0.85:33647 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 282 IGMP 192.168.1.34:0 -> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/46 bytes -> 0 pkts/0 bytes] Undetected flows: - 1 TCP 192.168.1.34:50133 <-> 149.13.32.15:13392 [proto: 0/Unknown][9 pkts/1968 bytes <-> 7 pkts/632 bytes] - 2 UDP 192.168.1.34:49511 -> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes -> 0 pkts/0 bytes] - 3 UDP 192.168.1.34:54067 -> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes -> 0 pkts/0 bytes] - 4 TCP 192.168.1.34:50124 <-> 81.133.19.185:44431 [proto: 0/Unknown][11 pkts/854 bytes <-> 11 pkts/782 bytes] - 5 TCP 192.168.1.34:50131 <-> 212.161.8.36:13392 [proto: 0/Unknown][11 pkts/4406 bytes <-> 8 pkts/705 bytes] + 1 TCP 192.168.1.34:50121 <-> 81.83.77.141:17639 [proto: 0/Unknown][24 pkts/3101 bytes <-> 16 pkts/2508 bytes] + 2 TCP 192.168.1.34:50131 <-> 212.161.8.36:13392 [proto: 0/Unknown][11 pkts/4406 bytes <-> 8 pkts/705 bytes] + 3 TCP 192.168.1.34:50133 <-> 149.13.32.15:13392 [proto: 0/Unknown][9 pkts/1968 bytes <-> 7 pkts/632 bytes] + 4 TCP 192.168.1.34:50127 <-> 80.14.46.121:4415 [proto: 0/Unknown][16 pkts/1169 bytes <-> 11 pkts/929 bytes] + 5 TCP 192.168.1.34:50124 <-> 81.133.19.185:44431 [proto: 0/Unknown][11 pkts/854 bytes <-> 11 pkts/782 bytes] 6 TCP 192.168.1.34:50142 <-> 80.14.46.121:4415 [proto: 0/Unknown][12 pkts/985 bytes <-> 6 pkts/489 bytes] - 7 TCP 192.168.1.34:50121 <-> 81.83.77.141:17639 [proto: 0/Unknown][24 pkts/3101 bytes <-> 16 pkts/2508 bytes] - 8 TCP 192.168.1.34:50140 <-> 76.167.161.6:20274 [proto: 0/Unknown][2 pkts/132 bytes <-> 1 pkts/74 bytes] - 9 TCP 192.168.1.34:50144 <-> 78.202.226.115:29059 [proto: 0/Unknown][10 pkts/797 bytes <-> 4 pkts/342 bytes] - 10 TCP 192.168.1.34:50145 -> 157.56.53.51:12350 [proto: 0/Unknown][8 pkts/608 bytes -> 0 pkts/0 bytes] - 11 TCP 192.168.1.34:50127 <-> 80.14.46.121:4415 [proto: 0/Unknown][16 pkts/1169 bytes <-> 11 pkts/929 bytes] + 7 TCP 192.168.1.34:50144 <-> 78.202.226.115:29059 [proto: 0/Unknown][10 pkts/797 bytes <-> 4 pkts/342 bytes] + 8 TCP 192.168.1.34:50145 -> 157.56.53.51:12350 [proto: 0/Unknown][8 pkts/608 bytes -> 0 pkts/0 bytes] + 9 UDP 192.168.1.34:49511 -> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes -> 0 pkts/0 bytes] + 10 UDP 192.168.1.34:54067 -> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes -> 0 pkts/0 bytes] + 11 TCP 192.168.1.34:50140 <-> 76.167.161.6:20274 [proto: 0/Unknown][2 pkts/132 bytes <-> 1 pkts/74 bytes] diff --git a/tests/result/skype_no_unknown.pcap.out b/tests/result/skype_no_unknown.pcap.out index e2991bcd6..654974b9c 100644 --- a/tests/result/skype_no_unknown.pcap.out +++ b/tests/result/skype_no_unknown.pcap.out @@ -11,273 +11,273 @@ Skype 1291 190136 223 Apple 84 20699 2 MS_OneDrive 348 181687 1 - 1 UDP 192.168.1.34:13021 -> 189.138.161.88:19521 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 2 TCP 192.168.1.34:51290 <-> 5.248.186.221:31010 [proto: 125/Skype][14 pkts/1070 bytes <-> 4 pkts/420 bytes] - 3 UDP 192.168.1.34:13021 -> 111.221.74.15:40026 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 4 UDP 192.168.1.34:13021 -> 111.221.77.143:40022 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 5 UDP 192.168.1.34:13021 -> 111.221.74.42:40006 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 6 UDP 192.168.1.34:13021 -> 111.221.74.24:40032 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 7 UDP 192.168.1.34:13021 -> 111.221.74.28:40026 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 8 UDP 192.168.1.34:13021 -> 111.221.77.145:40024 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 9 UDP 192.168.1.34:13021 -> 111.221.77.165:40004 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 10 UDP 192.168.1.34:13021 -> 111.221.77.160:40016 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 11 UDP 192.168.1.34:13021 -> 111.221.77.149:40016 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 12 UDP 192.168.1.34:13021 -> 111.221.77.171:40030 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 13 UDP 192.168.1.34:13021 -> 111.221.77.173:40012 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 14 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] - 15 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] - 16 TCP 192.168.1.34:51284 <-> 91.190.218.125:12350 [proto: 125/Skype][3 pkts/237 bytes <-> 3 pkts/186 bytes] - 17 TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][3 pkts/293 bytes <-> 3 pkts/186 bytes] - 18 TCP 192.168.1.34:51289 <-> 71.238.7.203:18767 [proto: 125/Skype][13 pkts/991 bytes <-> 4 pkts/378 bytes] - 19 UDP 192.168.1.34:13021 -> 157.56.52.18:33033 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 20 TCP 192.168.1.34:51311 <-> 93.79.224.176:14506 [proto: 125/Skype][11 pkts/848 bytes <-> 3 pkts/286 bytes] - 21 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/SSL.Skype][13 pkts/1446 bytes <-> 4 pkts/266 bytes] - 22 TCP 192.168.1.34:51247 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][10 pkts/1077 bytes <-> 4 pkts/351 bytes] - 23 TCP 192.168.1.34:51260 <-> 157.55.130.142:443 [proto: 91.125/SSL.Skype][12 pkts/1249 bytes <-> 3 pkts/265 bytes] - 24 TCP 192.168.1.34:51280 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][12 pkts/1130 bytes <-> 3 pkts/285 bytes] - 25 TCP 192.168.1.34:51274 <-> 157.55.235.152:443 [proto: 91.125/SSL.Skype][12 pkts/1235 bytes <-> 3 pkts/285 bytes] - 26 UDP 192.168.1.34:13021 -> 157.55.130.165:40028 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 27 UDP 192.168.1.34:13021 -> 157.56.52.27:40025 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 28 UDP 192.168.1.34:13021 -> 157.56.52.12:40031 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 29 UDP 192.168.1.34:13021 -> 157.56.52.15:40027 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 30 UDP 192.168.1.34:13021 -> 157.56.52.13:40021 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 31 UDP 192.168.1.34:13021 -> 157.56.52.20:40033 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 32 UDP 192.168.1.34:13021 -> 157.56.52.17:40013 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 33 UDP 192.168.1.34:13021 -> 157.55.235.143:40030 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 34 UDP 192.168.1.34:13021 -> 157.56.52.39:40031 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 35 UDP 192.168.1.34:13021 -> 157.56.52.38:40015 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 36 UDP 192.168.1.34:13021 -> 157.56.52.42:40005 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 37 UDP 192.168.1.34:13021 -> 157.56.52.40:40017 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 38 UDP 192.168.1.34:13021 -> 157.55.56.143:40018 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 39 UDP 192.168.1.34:13021 -> 157.55.56.145:40008 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 40 UDP 192.168.1.34:13021 -> 157.55.130.144:40016 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 41 UDP 192.168.1.34:13021 -> 157.55.235.144:40032 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 42 UDP 192.168.1.34:13021 -> 157.55.130.160:40008 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 43 UDP 192.168.1.34:13021 -> 157.55.130.152:40022 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 44 UDP 192.168.1.34:13021 -> 157.55.56.150:40014 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 45 UDP 192.168.1.34:13021 -> 157.55.56.147:40014 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 46 UDP 192.168.1.34:13021 -> 157.55.56.146:40030 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 47 UDP 192.168.1.34:13021 -> 157.55.130.159:40016 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 48 UDP 192.168.1.34:13021 -> 157.55.235.160:40022 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 49 UDP 192.168.1.34:13021 -> 157.55.235.168:40024 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 50 UDP 192.168.1.34:13021 -> 157.55.56.167:40024 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 51 UDP 192.168.1.34:13021 -> 157.55.130.171:40012 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 52 UDP 192.168.1.34:13021 -> 157.55.130.170:40018 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 53 UDP 192.168.1.34:13021 -> 157.55.235.172:40020 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 54 UDP 192.168.1.34:13021 -> 157.55.235.171:40006 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 55 UDP 192.168.1.34:13021 -> 157.55.130.175:40006 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 56 UDP 192.168.1.34:13021 -> 133.236.67.25:49195 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 57 UDP 192.168.1.34:50055 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 58 TCP 192.168.1.34:51305 <-> 149.13.32.15:13392 [proto: 125/Skype][14 pkts/1093 bytes <-> 4 pkts/333 bytes] - 59 TCP 192.168.1.34:51309 <-> 149.13.32.15:13392 [proto: 125/Skype][12 pkts/916 bytes <-> 3 pkts/281 bytes] - 60 UDP 192.168.1.34:51753 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 61 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/SSL][13 pkts/1437 bytes <-> 3 pkts/200 bytes] - 62 TCP 192.168.1.34:51251 <-> 64.4.23.166:40029 [proto: 125/Skype][12 pkts/948 bytes <-> 4 pkts/349 bytes] - 63 UDP 192.168.1.34:13021 -> 111.221.74.14:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 64 UDP 192.168.1.34:13021 -> 213.199.179.160:40030 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 65 UDP 192.168.1.34:13021 -> 213.199.179.143:40018 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 66 UDP 192.168.1.34:13021 -> 213.199.179.145:40024 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 67 UDP 192.168.1.34:13021 -> 213.199.179.146:40030 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 68 UDP 192.168.1.34:13021 -> 213.199.179.149:40030 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 69 UDP 192.168.1.34:13021 -> 213.199.179.165:40004 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 70 UDP 192.168.1.34:58631 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] - 71 UDP 192.168.1.34:59113 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/539 bytes -> 0 pkts/0 bytes][Host: dsn13.d.skype.net] - 72 UDP 192.168.1.34:60413 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] - 73 UDP 192.168.1.34:61095 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 74 UDP 192.168.1.34:62875 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/539 bytes -> 0 pkts/0 bytes][Host: dsn13.d.skype.net] - 75 UDP 192.168.1.34:63661 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] - 76 UDP 192.168.1.34:64971 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: a.config.skype.com] - 77 TCP 192.168.1.34:51313 <-> 212.161.8.36:13392 [proto: 125/Skype][11 pkts/855 bytes <-> 3 pkts/287 bytes] - 78 TCP 192.168.1.34:51256 <-> 111.221.77.142:40013 [proto: 125/Skype][11 pkts/815 bytes <-> 5 pkts/423 bytes] - 79 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][101 pkts/30681 bytes <-> 98 pkts/59934 bytes] - 80 UDP 192.168.1.34:13021 -> 157.55.235.141:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 81 UDP 192.168.1.34:58061 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] - 82 IGMP 192.168.1.219:0 -> 233.89.188.1:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 83 UDP 192.168.1.34:59237 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] - 84 TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 140/Apple][4 pkts/674 bytes <-> 4 pkts/444 bytes] - 85 UDP 192.168.1.34:13021 -> 83.31.12.173:23939 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] - 86 UDP 192.168.1.34:13021 -> 65.55.223.18:33033 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 87 UDP 192.168.1.34:13021 -> 65.55.223.65:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 88 TCP 192.168.1.34:51229 <-> 157.56.52.28:40009 [proto: 125/Skype][12 pkts/951 bytes <-> 4 pkts/341 bytes] - 89 TCP 192.168.1.34:51234 <-> 157.55.235.147:40001 [proto: 125/Skype][14 pkts/1117 bytes <-> 4 pkts/337 bytes] - 90 TCP 192.168.1.34:51246 <-> 157.56.52.44:40020 [proto: 125/Skype][11 pkts/856 bytes <-> 5 pkts/409 bytes] - 91 TCP 192.168.1.34:51276 <-> 157.55.235.146:40021 [proto: 125/Skype][13 pkts/981 bytes <-> 4 pkts/348 bytes] - 92 TCP 192.168.1.34:51237 <-> 157.55.130.176:40022 [proto: 125/Skype][13 pkts/986 bytes <-> 4 pkts/344 bytes] - 93 TCP 192.168.1.34:51257 <-> 157.55.235.170:40032 [proto: 125/Skype][14 pkts/1059 bytes <-> 4 pkts/367 bytes] - 94 TCP 192.168.1.34:51272 <-> 157.55.235.152:40029 [proto: 125/Skype][13 pkts/1006 bytes <-> 4 pkts/361 bytes] - 95 TCP 192.168.1.34:51277 <-> 157.55.235.156:40026 [proto: 125/Skype][13 pkts/1011 bytes <-> 4 pkts/415 bytes] - 96 TCP 192.168.1.34:51282 <-> 64.4.23.159:443 [proto: 91/SSL][10 pkts/972 bytes <-> 3 pkts/285 bytes] - 97 TCP 192.168.1.34:51239 <-> 65.55.223.45:443 [proto: 91/SSL][12 pkts/1291 bytes <-> 3 pkts/242 bytes] - 98 UDP 192.168.1.34:13021 -> 64.4.23.165:40004 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 99 UDP 192.168.1.34:13021 -> 64.4.23.143:40018 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 100 UDP 192.168.1.34:13021 -> 64.4.23.154:40032 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 101 UDP 192.168.1.34:13021 -> 64.4.23.149:40030 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 102 UDP 192.168.1.34:13021 -> 64.4.23.155:40004 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 103 UDP 192.168.1.34:13021 -> 65.55.223.17:40025 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 104 UDP 192.168.1.34:13021 -> 65.55.223.13:40009 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 105 UDP 192.168.1.34:13021 -> 65.55.223.22:40009 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 106 UDP 192.168.1.34:13021 -> 65.55.223.20:40023 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 107 UDP 192.168.1.34:13021 -> 65.55.223.18:40025 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 108 UDP 192.168.1.34:13021 -> 65.55.223.27:40029 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 109 UDP 192.168.1.34:13021 -> 65.55.223.24:40029 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 110 TCP 192.168.1.34:51286 <-> 91.190.218.125:443 [proto: 91.125/SSL.Skype][3 pkts/191 bytes <-> 3 pkts/186 bytes] - 111 TCP 192.168.1.34:51302 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][6 pkts/353 bytes <-> 4 pkts/246 bytes] - 112 UDP 192.168.1.34:13021 -> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 113 UDP 192.168.1.34:13021 -> 111.221.74.18:33033 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 114 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/SSL.Dropbox][4 pkts/818 bytes <-> 4 pkts/2172 bytes] - 115 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][10 pkts/902 bytes <-> 4 pkts/351 bytes] - 116 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/SSL.Skype][2 pkts/132 bytes <-> 1 pkts/74 bytes] - 117 TCP 192.168.1.34:51258 <-> 213.199.179.176:40021 [proto: 125/Skype][14 pkts/1104 bytes <-> 5 pkts/392 bytes] - 118 TCP 192.168.1.34:51293 <-> 5.248.186.221:31010 [proto: 125/Skype][12 pkts/2194 bytes <-> 8 pkts/1711 bytes] - 119 UDP 192.168.1.34:13021 -> 111.221.74.34:40027 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 120 UDP 192.168.1.34:13021 -> 111.221.74.33:40011 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 121 UDP 192.168.1.34:13021 -> 111.221.74.13:40009 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 122 UDP 192.168.1.34:13021 -> 111.221.74.27:40027 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 123 UDP 192.168.1.34:13021 -> 111.221.74.20:40033 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 124 UDP 192.168.1.34:13021 -> 111.221.74.19:40001 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 125 UDP 192.168.1.34:13021 -> 111.221.74.44:40019 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 126 UDP 192.168.1.34:13021 -> 111.221.74.38:40015 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 127 UDP 192.168.1.34:13021 -> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 128 UDP 192.168.1.34:13021 -> 111.221.74.40:40025 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 129 UDP 192.168.1.34:13021 -> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 130 UDP 192.168.1.34:13021 -> 111.221.77.159:40031 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 131 UDP 192.168.1.34:13021 -> 111.221.77.151:40029 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 132 UDP 192.168.1.34:13021 -> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 133 UDP 192.168.1.34:13021 -> 111.221.77.170:40021 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 134 UDP 192.168.1.34:13021 -> 189.188.134.174:22436 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] - 135 TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][3 pkts/191 bytes <-> 3 pkts/186 bytes] - 136 TCP 192.168.1.34:51297 <-> 91.190.216.24:12350 [proto: 125/Skype][12 pkts/3242 bytes <-> 3 pkts/290 bytes] - 137 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/353 bytes <-> 5 pkts/306 bytes] - 138 TCP 192.168.1.34:51292 <-> 71.238.7.203:18767 [proto: 125/Skype][17 pkts/2686 bytes <-> 13 pkts/2218 bytes] - 139 UDP 192.168.1.34:13021 -> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 140 UDP 192.168.1.34:13021 -> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 141 TCP 192.168.1.34:51291 <-> 81.83.77.141:17639 [proto: 125/Skype][12 pkts/942 bytes <-> 3 pkts/284 bytes] - 142 TCP 192.168.1.34:51288 <-> 76.167.161.6:20274 [proto: 125/Skype][11 pkts/861 bytes <-> 4 pkts/397 bytes] - 143 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][server: *.gateway.messenger.live.com] - 144 TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 91.125/SSL.Skype][10 pkts/872 bytes <-> 3 pkts/285 bytes] - 145 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][12 pkts/1333 bytes <-> 3 pkts/251 bytes] - 146 TCP 192.168.1.34:51261 <-> 157.55.235.170:443 [proto: 91.125/SSL.Skype][12 pkts/1284 bytes <-> 3 pkts/285 bytes] - 147 TCP 192.168.1.34:51281 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][12 pkts/1095 bytes <-> 3 pkts/285 bytes] - 148 UDP 192.168.1.34:13021 -> 174.49.171.224:32011 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] - 149 UDP 192.168.1.34:13021 -> 157.55.56.170:40015 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 150 UDP 192.168.1.34:13021 -> 157.56.52.19:40020 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] - 151 UDP 192.168.1.34:13021 -> 157.56.52.16:40032 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 152 UDP 192.168.1.34:13021 -> 157.56.52.25:40010 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 153 UDP 192.168.1.34:13021 -> 157.56.52.24:40032 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 154 UDP 192.168.1.34:13021 -> 157.55.130.154:40013 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 155 UDP 192.168.1.34:13021 -> 157.55.130.150:40007 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 156 UDP 192.168.1.34:13021 -> 157.55.130.149:40011 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 157 UDP 192.168.1.34:13021 -> 157.55.56.142:40013 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 158 UDP 192.168.1.34:13021 -> 157.56.52.33:40002 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 159 UDP 192.168.1.34:13021 -> 157.56.52.29:40010 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 160 UDP 192.168.1.34:13021 -> 157.55.56.140:40003 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 161 UDP 192.168.1.34:13021 -> 157.56.52.43:40006 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 162 UDP 192.168.1.34:13021 -> 157.55.130.140:40011 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 163 UDP 192.168.1.34:13021 -> 157.55.130.146:40033 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 164 UDP 192.168.1.34:13021 -> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 165 UDP 192.168.1.34:13021 -> 157.55.235.148:40033 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 166 UDP 192.168.1.34:13021 -> 157.55.235.162:40033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 167 UDP 192.168.1.34:13021 -> 157.55.130.156:40019 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 168 UDP 192.168.1.34:13021 -> 157.55.235.155:40027 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 169 UDP 192.168.1.34:13021 -> 157.55.56.161:40031 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 170 UDP 192.168.1.34:13021 -> 157.55.235.158:40027 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 171 UDP 192.168.1.34:13021 -> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 172 UDP 192.168.1.34:13021 -> 157.55.235.167:40029 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] - 173 UDP 192.168.1.34:13021 -> 157.55.130.167:40031 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 174 UDP 192.168.1.34:13021 -> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 1 TCP 192.168.1.34:51230 <-> 157.56.126.211:443 [proto: 91.221/SSL.MS_OneDrive][166 pkts/39042 bytes <-> 182 pkts/142645 bytes][server: *.gateway.messenger.live.com] + 2 TCP 192.168.1.34:51279 <-> 111.221.74.48:40008 [proto: 125/Skype][101 pkts/30681 bytes <-> 98 pkts/59934 bytes] + 3 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][38 pkts/9082 bytes <-> 38 pkts/10499 bytes] + 4 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][36 pkts/13402 bytes -> 0 pkts/0 bytes] + 5 TCP 192.168.1.34:51292 <-> 71.238.7.203:18767 [proto: 125/Skype][17 pkts/2686 bytes <-> 13 pkts/2218 bytes] + 6 TCP 192.168.1.34:51293 <-> 5.248.186.221:31010 [proto: 125/Skype][12 pkts/2194 bytes <-> 8 pkts/1711 bytes] + 7 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][16 pkts/3461 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] + 8 TCP 192.168.1.34:51297 <-> 91.190.216.24:12350 [proto: 125/Skype][12 pkts/3242 bytes <-> 3 pkts/290 bytes] + 9 TCP 108.160.163.108:443 <-> 192.168.1.34:51222 [proto: 91.121/SSL.Dropbox][4 pkts/818 bytes <-> 4 pkts/2172 bytes] + 10 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][11 pkts/2074 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] + 11 TCP 192.168.1.34:51238 <-> 157.55.235.147:443 [proto: 91.125/SSL.Skype][13 pkts/1446 bytes <-> 4 pkts/266 bytes] + 12 TCP 192.168.1.34:51262 <-> 213.199.179.176:443 [proto: 91/SSL][13 pkts/1437 bytes <-> 3 pkts/200 bytes] + 13 TCP 192.168.1.34:51241 <-> 157.55.130.176:443 [proto: 91.125/SSL.Skype][12 pkts/1333 bytes <-> 3 pkts/251 bytes] + 14 TCP 192.168.1.34:51261 <-> 157.55.235.170:443 [proto: 91.125/SSL.Skype][12 pkts/1284 bytes <-> 3 pkts/285 bytes] + 15 TCP 192.168.1.34:51239 <-> 65.55.223.45:443 [proto: 91/SSL][12 pkts/1291 bytes <-> 3 pkts/242 bytes] + 16 TCP 192.168.1.34:51274 <-> 157.55.235.152:443 [proto: 91.125/SSL.Skype][12 pkts/1235 bytes <-> 3 pkts/285 bytes] + 17 TCP 192.168.1.34:51260 <-> 157.55.130.142:443 [proto: 91.125/SSL.Skype][12 pkts/1249 bytes <-> 3 pkts/265 bytes] + 18 TCP 192.168.1.34:51258 <-> 213.199.179.176:40021 [proto: 125/Skype][14 pkts/1104 bytes <-> 5 pkts/392 bytes] + 19 TCP 192.168.1.34:51269 <-> 213.199.179.175:40029 [proto: 125/Skype][14 pkts/1106 bytes <-> 5 pkts/385 bytes] + 20 TCP 192.168.1.34:51290 <-> 5.248.186.221:31010 [proto: 125/Skype][14 pkts/1070 bytes <-> 4 pkts/420 bytes] + 21 TCP 192.168.1.34:51234 <-> 157.55.235.147:40001 [proto: 125/Skype][14 pkts/1117 bytes <-> 4 pkts/337 bytes] + 22 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][11 pkts/1164 bytes <-> 3 pkts/268 bytes] + 23 TCP 192.168.1.34:51247 <-> 157.56.52.44:443 [proto: 91.125/SSL.Skype][10 pkts/1077 bytes <-> 4 pkts/351 bytes] + 24 TCP 192.168.1.34:51305 <-> 149.13.32.15:13392 [proto: 125/Skype][14 pkts/1093 bytes <-> 4 pkts/333 bytes] + 25 TCP 192.168.1.34:51257 <-> 157.55.235.170:40032 [proto: 125/Skype][14 pkts/1059 bytes <-> 4 pkts/367 bytes] + 26 TCP 192.168.1.34:51277 <-> 157.55.235.156:40026 [proto: 125/Skype][13 pkts/1011 bytes <-> 4 pkts/415 bytes] + 27 TCP 192.168.1.34:51271 <-> 213.199.179.175:443 [proto: 91/SSL][12 pkts/1130 bytes <-> 3 pkts/285 bytes] + 28 TCP 192.168.1.34:51280 <-> 157.55.235.146:443 [proto: 91.125/SSL.Skype][12 pkts/1130 bytes <-> 3 pkts/285 bytes] + 29 TCP 192.168.1.34:51281 <-> 157.55.235.156:443 [proto: 91.125/SSL.Skype][12 pkts/1095 bytes <-> 3 pkts/285 bytes] + 30 TCP 192.168.1.34:51240 <-> 111.221.74.45:443 [proto: 91.125/SSL.Skype][10 pkts/1022 bytes <-> 4 pkts/351 bytes] + 31 TCP 192.168.1.34:51289 <-> 71.238.7.203:18767 [proto: 125/Skype][13 pkts/991 bytes <-> 4 pkts/378 bytes] + 32 TCP 192.168.1.34:51272 <-> 157.55.235.152:40029 [proto: 125/Skype][13 pkts/1006 bytes <-> 4 pkts/361 bytes] + 33 TCP 192.168.1.34:51250 <-> 111.221.77.175:443 [proto: 91.125/SSL.Skype][10 pkts/1012 bytes <-> 4 pkts/351 bytes] + 34 TCP 192.168.1.34:51235 <-> 65.55.223.45:40009 [proto: 125/Skype][13 pkts/976 bytes <-> 4 pkts/365 bytes] + 35 TCP 192.168.1.34:51237 <-> 157.55.130.176:40022 [proto: 125/Skype][13 pkts/986 bytes <-> 4 pkts/344 bytes] + 36 TCP 192.168.1.34:51276 <-> 157.55.235.146:40021 [proto: 125/Skype][13 pkts/981 bytes <-> 4 pkts/348 bytes] + 37 TCP 192.168.1.34:51255 <-> 157.55.130.142:40005 [proto: 125/Skype][13 pkts/1004 bytes <-> 4 pkts/318 bytes] + 38 TCP 192.168.1.34:51251 <-> 64.4.23.166:40029 [proto: 125/Skype][12 pkts/948 bytes <-> 4 pkts/349 bytes] + 39 TCP 192.168.1.34:51229 <-> 157.56.52.28:40009 [proto: 125/Skype][12 pkts/951 bytes <-> 4 pkts/341 bytes] + 40 TCP 192.168.1.34:51248 <-> 111.221.77.175:40030 [proto: 125/Skype][11 pkts/858 bytes <-> 5 pkts/426 bytes] + 41 TCP 192.168.1.34:51246 <-> 157.56.52.44:40020 [proto: 125/Skype][11 pkts/856 bytes <-> 5 pkts/409 bytes] + 42 TCP 192.168.1.34:51288 <-> 76.167.161.6:20274 [proto: 125/Skype][11 pkts/861 bytes <-> 4 pkts/397 bytes] + 43 TCP 192.168.1.34:51236 <-> 111.221.74.45:40008 [proto: 125/Skype][11 pkts/844 bytes <-> 5 pkts/413 bytes] + 44 TCP 192.168.1.34:51282 <-> 64.4.23.159:443 [proto: 91/SSL][10 pkts/972 bytes <-> 3 pkts/285 bytes] + 45 TCP 192.168.1.34:51259 <-> 111.221.77.142:443 [proto: 91.125/SSL.Skype][10 pkts/902 bytes <-> 4 pkts/351 bytes] + 46 TCP 192.168.1.34:51256 <-> 111.221.77.142:40013 [proto: 125/Skype][11 pkts/815 bytes <-> 5 pkts/423 bytes] + 47 TCP 192.168.1.34:51291 <-> 81.83.77.141:17639 [proto: 125/Skype][12 pkts/942 bytes <-> 3 pkts/284 bytes] + 48 TCP 192.168.1.34:51278 <-> 64.4.23.159:40009 [proto: 125/Skype][11 pkts/832 bytes <-> 4 pkts/387 bytes] + 49 TCP 192.168.1.34:51268 <-> 111.221.74.18:443 [proto: 91.125/SSL.Skype][10 pkts/852 bytes <-> 4 pkts/351 bytes] + 50 TCP 192.168.1.34:51309 <-> 149.13.32.15:13392 [proto: 125/Skype][12 pkts/916 bytes <-> 3 pkts/281 bytes] + 51 TCP 192.168.1.34:51316 <-> 149.13.32.15:13392 [proto: 125/Skype][11 pkts/862 bytes <-> 3 pkts/314 bytes] + 52 TCP 192.168.1.34:51267 <-> 111.221.74.18:40025 [proto: 125/Skype][10 pkts/785 bytes <-> 4 pkts/378 bytes] + 53 TCP 192.168.1.34:51232 <-> 157.56.52.28:443 [proto: 91.125/SSL.Skype][10 pkts/872 bytes <-> 3 pkts/285 bytes] + 54 TCP 192.168.1.34:51298 <-> 82.224.110.241:38895 [proto: 125/Skype][12 pkts/931 bytes <-> 2 pkts/219 bytes] + 55 TCP 192.168.1.34:51313 <-> 212.161.8.36:13392 [proto: 125/Skype][11 pkts/855 bytes <-> 3 pkts/287 bytes] + 56 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][6 pkts/958 bytes <-> 2 pkts/184 bytes] + 57 TCP 192.168.1.34:51311 <-> 93.79.224.176:14506 [proto: 125/Skype][11 pkts/848 bytes <-> 3 pkts/286 bytes] + 58 TCP 17.143.160.149:5223 <-> 192.168.1.34:50407 [proto: 140/Apple][4 pkts/674 bytes <-> 4 pkts/444 bytes] + 59 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] + 60 UDP 192.168.1.34:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] + 61 UDP 192.168.1.92:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] + 62 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] + 63 TCP 192.168.1.34:51318 <-> 212.161.8.36:13392 [proto: 125/Skype][7 pkts/571 bytes <-> 3 pkts/286 bytes] + 64 UDP 192.168.1.34:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][7 pkts/680 bytes -> 0 pkts/0 bytes] + 65 TCP 192.168.1.34:51299 <-> 91.190.216.125:12350 [proto: 125/Skype][6 pkts/353 bytes <-> 5 pkts/306 bytes] + 66 UDP 192.168.1.34:60688 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] + 67 UDP 192.168.1.34:58631 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] + 68 UDP 192.168.1.34:51753 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 69 UDP 192.168.1.34:55866 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 70 UDP 192.168.1.34:53372 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] + 71 UDP 192.168.1.34:50055 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 72 UDP 192.168.1.34:61095 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] + 73 UDP 192.168.1.34:57592 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] + 74 UDP 192.168.1.34:64364 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] + 75 UDP 192.168.1.34:60413 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] + 76 TCP 192.168.1.34:51302 <-> 91.190.216.125:443 [proto: 91.125/SSL.Skype][6 pkts/353 bytes <-> 4 pkts/246 bytes] + 77 UDP 192.168.1.34:63514 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/576 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] + 78 UDP 192.168.1.34:64971 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: a.config.skype.com] + 79 UDP 192.168.1.34:63342 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] + 80 UDP 192.168.1.34:64258 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] + 81 UDP 192.168.1.34:55028 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: a.config.skype.com] + 82 UDP 192.168.1.34:59113 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/539 bytes -> 0 pkts/0 bytes][Host: dsn13.d.skype.net] + 83 UDP 192.168.1.34:62875 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/539 bytes -> 0 pkts/0 bytes][Host: dsn13.d.skype.net] + 84 UDP 192.168.1.34:49864 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] + 85 UDP 192.168.1.34:64240 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] + 86 TCP 192.168.1.34:51296 <-> 91.190.216.125:12350 [proto: 125/Skype][3 pkts/293 bytes <-> 3 pkts/186 bytes] + 87 TCP 192.168.1.34:51308 -> 80.121.84.93:443 [proto: 91/SSL][6 pkts/468 bytes -> 0 pkts/0 bytes] + 88 UDP 192.168.1.1:138 -> 192.168.1.34:138 [proto: 10/NetBIOS][2 pkts/452 bytes -> 0 pkts/0 bytes] + 89 UDP 192.168.1.34:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][2 pkts/432 bytes -> 0 pkts/0 bytes] + 90 TCP 192.168.1.34:51284 <-> 91.190.218.125:12350 [proto: 125/Skype][3 pkts/237 bytes <-> 3 pkts/186 bytes] + 91 TCP 192.168.1.34:51286 <-> 91.190.218.125:443 [proto: 91.125/SSL.Skype][3 pkts/191 bytes <-> 3 pkts/186 bytes] + 92 TCP 192.168.1.34:51285 <-> 91.190.218.125:12350 [proto: 125/Skype][3 pkts/191 bytes <-> 3 pkts/186 bytes] + 93 UDP 192.168.1.34:58061 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] + 94 UDP 192.168.1.34:59237 -> 239.255.255.250:1900 [proto: 12/SSDP][2 pkts/349 bytes -> 0 pkts/0 bytes] + 95 ICMP 192.168.1.1:0 -> 192.168.1.34:0 [proto: 81/ICMP][4 pkts/328 bytes -> 0 pkts/0 bytes] + 96 UDP 192.168.1.34:13021 -> 174.49.171.224:32011 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] + 97 UDP 192.168.1.34:13021 -> 83.31.12.173:23939 [proto: 125/Skype][5 pkts/300 bytes -> 0 pkts/0 bytes] + 98 UDP 192.168.1.34:57694 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/101 bytes <-> 1 pkts/166 bytes][Host: db3msgr5011709.gateway.messenger.live.com] + 99 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes -> 0 pkts/0 bytes] + 100 UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/216 bytes -> 0 pkts/0 bytes] + 101 TCP 192.168.1.34:51283 <-> 111.221.74.48:443 [proto: 91.125/SSL.Skype][2 pkts/132 bytes <-> 1 pkts/74 bytes] + 102 UDP 192.168.1.34:59788 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] + 103 UDP 192.168.1.34:63661 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] + 104 UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes -> 0 pkts/0 bytes][Lucas-iMac.local] + 105 UDP 192.168.1.92:53826 -> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] + 106 UDP 192.168.1.92:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] + 107 UDP 192.168.1.34:61016 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/80 bytes -> 0 pkts/0 bytes][Host: apps.skypeassets.com] + 108 UDP 192.168.1.34:13021 -> 157.55.235.144:40032 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 109 UDP 192.168.1.34:13021 -> 65.55.223.27:40029 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 110 UDP 192.168.1.34:13021 -> 111.221.77.151:40029 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 111 UDP 192.168.1.34:13021 -> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 112 UDP 192.168.1.34:13021 -> 111.221.77.173:40012 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 113 UDP 192.168.1.34:13021 -> 157.55.56.147:40014 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 114 UDP 192.168.1.34:13021 -> 213.199.179.156:40031 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 115 UDP 192.168.1.34:13021 -> 64.4.23.148:40029 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 116 UDP 192.168.1.34:13021 -> 111.221.74.40:40025 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 117 UDP 192.168.1.34:13021 -> 157.56.52.15:40027 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 118 UDP 192.168.1.34:13021 -> 157.55.130.167:40031 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 119 UDP 192.168.1.34:13021 -> 64.4.23.171:40031 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] + 120 UDP 192.168.1.34:13021 -> 64.4.23.143:40018 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 121 UDP 192.168.1.34:13021 -> 213.199.179.165:40004 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 122 UDP 192.168.1.34:13021 -> 157.56.52.39:40031 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 123 UDP 192.168.1.34:13021 -> 111.221.77.170:40021 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 124 UDP 192.168.1.34:13021 -> 213.199.179.143:40018 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 125 UDP 192.168.1.34:13021 -> 157.56.52.43:40006 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 126 UDP 192.168.1.34:13021 -> 111.221.74.28:40026 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 127 UDP 192.168.1.34:13021 -> 213.199.179.154:40017 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] + 128 UDP 192.168.1.34:13021 -> 65.55.223.15:40030 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 129 UDP 192.168.1.34:13021 -> 111.221.77.154:40017 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 130 UDP 192.168.1.34:13021 -> 213.199.179.160:40030 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 131 UDP 192.168.1.34:13021 -> 65.55.223.43:40006 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 132 UDP 192.168.1.34:13021 -> 65.55.223.32:40022 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 133 UDP 192.168.1.34:13021 -> 111.221.74.20:40033 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 134 UDP 192.168.1.34:13021 -> 157.56.52.18:33033 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 135 UDP 192.168.1.34:13021 -> 157.56.52.20:40033 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 136 UDP 192.168.1.34:13021 -> 65.55.223.24:40029 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 137 UDP 192.168.1.34:13021 -> 157.55.130.149:40011 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 138 UDP 192.168.1.34:13021 -> 157.55.235.168:40024 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] + 139 UDP 192.168.1.34:13021 -> 157.55.56.170:40015 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 140 UDP 192.168.1.34:13021 -> 65.55.223.42:40024 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 141 UDP 192.168.1.34:13021 -> 65.55.223.44:40020 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 142 UDP 192.168.1.34:13021 -> 157.55.130.165:40028 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 143 UDP 192.168.1.34:13021 -> 111.221.74.33:40011 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 144 UDP 192.168.1.34:13021 -> 64.4.23.158:40021 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 145 UDP 192.168.1.34:13021 -> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 146 UDP 192.168.1.34:13021 -> 157.55.56.140:40003 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 147 UDP 192.168.1.34:13021 -> 157.55.130.170:40018 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 148 UDP 192.168.1.34:13021 -> 213.199.179.172:40011 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 149 UDP 192.168.1.34:13021 -> 111.221.77.165:40004 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 150 UDP 192.168.1.34:13021 -> 157.55.235.146:33033 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 151 UDP 192.168.1.34:13021 -> 157.56.52.25:40010 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] + 152 UDP 192.168.1.34:13021 -> 157.56.52.38:40015 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 153 UDP 192.168.1.34:13021 -> 157.56.52.13:40021 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 154 UDP 192.168.1.34:13021 -> 157.56.52.42:40005 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 155 UDP 192.168.1.34:13021 -> 111.221.77.149:40016 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 156 UDP 192.168.1.34:13021 -> 157.55.235.148:40033 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 157 UDP 192.168.1.34:13021 -> 64.4.23.165:40004 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 158 UDP 192.168.1.34:13021 -> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] + 159 UDP 192.168.1.34:13021 -> 157.55.235.175:40023 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 160 UDP 192.168.1.34:13021 -> 65.55.223.22:40009 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 161 UDP 192.168.1.34:13021 -> 65.55.223.28:40014 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 162 UDP 192.168.1.34:13021 -> 157.55.235.155:40027 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 163 UDP 192.168.1.34:13021 -> 65.55.223.33:40002 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 164 UDP 192.168.1.34:13021 -> 64.4.23.155:40004 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] + 165 UDP 192.168.1.34:13021 -> 157.55.235.176:40031 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 166 UDP 192.168.1.34:13021 -> 111.221.74.19:40001 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 167 UDP 192.168.1.34:13021 -> 64.4.23.145:40027 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 168 UDP 192.168.1.34:13021 -> 213.199.179.149:40030 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 169 UDP 192.168.1.34:13021 -> 111.221.74.34:40027 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 170 UDP 192.168.1.34:13021 -> 157.55.130.146:40033 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 171 UDP 192.168.1.34:13021 -> 157.55.235.158:40027 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] + 172 UDP 192.168.1.34:13021 -> 111.221.74.24:40032 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 173 UDP 192.168.1.34:13021 -> 157.55.130.152:40022 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 174 UDP 192.168.1.34:13021 -> 64.4.23.142:40023 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] 175 UDP 192.168.1.34:13021 -> 157.55.235.174:40019 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] 176 UDP 192.168.1.34:13021 -> 157.55.130.173:40003 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 177 UDP 192.168.1.34:13021 -> 157.55.235.176:40031 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 178 UDP 192.168.1.34:13021 -> 157.55.235.175:40023 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 179 UDP 192.168.1.34:49864 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] - 180 TCP 192.168.1.34:51316 <-> 149.13.32.15:13392 [proto: 125/Skype][11 pkts/862 bytes <-> 3 pkts/314 bytes] - 181 UDP 192.168.1.34:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] - 182 UDP 192.168.1.92:17500 -> 255.255.255.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] - 183 UDP 192.168.1.34:13021 -> 213.199.179.146:33033 [proto: 125/Skype][1 pkts/75 bytes -> 0 pkts/0 bytes] - 184 UDP 192.168.1.34:53372 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] - 185 UDP 192.168.1.92:53826 -> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] - 186 TCP 192.168.1.34:51271 <-> 213.199.179.175:443 [proto: 91/SSL][12 pkts/1130 bytes <-> 3 pkts/285 bytes] - 187 UDP 192.168.1.34:55028 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: a.config.skype.com] - 188 TCP 192.168.1.34:51278 <-> 64.4.23.159:40009 [proto: 125/Skype][11 pkts/832 bytes <-> 4 pkts/387 bytes] - 189 TCP 192.168.1.34:51235 <-> 65.55.223.45:40009 [proto: 125/Skype][13 pkts/976 bytes <-> 4 pkts/365 bytes] - 190 UDP 192.168.1.34:55866 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: pipe.prd.skypedata.akadns.net] - 191 UDP 192.168.1.34:57592 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/623 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst11.r.skype.net] - 192 UDP 192.168.1.34:57694 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/101 bytes <-> 1 pkts/166 bytes][Host: db3msgr5011709.gateway.messenger.live.com] - 193 UDP 192.168.1.34:13021 -> 213.199.179.173:40013 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 177 UDP 192.168.1.34:13021 -> 111.221.77.159:40031 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 178 UDP 192.168.1.34:13021 -> 157.55.130.140:40011 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 179 UDP 192.168.1.34:13021 -> 157.55.56.142:40013 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 180 UDP 192.168.1.34:13021 -> 157.56.52.27:40025 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 181 UDP 192.168.1.34:13021 -> 157.55.130.148:40019 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 182 UDP 192.168.1.34:13021 -> 157.55.56.145:40008 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 183 UDP 192.168.1.34:13021 -> 213.199.179.173:40013 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] + 184 UDP 192.168.1.34:13021 -> 65.55.223.13:40009 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 185 UDP 192.168.1.34:13021 -> 157.55.130.171:40012 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 186 UDP 192.168.1.34:13021 -> 157.55.56.146:40030 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 187 UDP 192.168.1.34:13021 -> 213.199.179.174:40025 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 188 UDP 192.168.1.34:13021 -> 111.221.74.15:40026 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 189 UDP 192.168.1.34:13021 -> 157.55.235.143:40030 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 190 UDP 192.168.1.34:13021 -> 157.56.52.33:40002 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 191 UDP 192.168.1.34:13021 -> 64.4.23.149:40030 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 192 UDP 192.168.1.34:13021 -> 157.55.130.150:40007 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] + 193 UDP 192.168.1.34:13021 -> 65.55.223.17:40025 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] 194 UDP 192.168.1.34:13021 -> 213.199.179.140:40003 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 195 UDP 192.168.1.34:13021 -> 213.199.179.154:40017 [proto: 125/Skype][1 pkts/78 bytes -> 0 pkts/0 bytes] - 196 UDP 192.168.1.34:13021 -> 213.199.179.144:40009 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 197 UDP 192.168.1.34:13021 -> 213.199.179.141:40015 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 198 UDP 192.168.1.34:13021 -> 213.199.179.156:40031 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 199 UDP 192.168.1.34:13021 -> 213.199.179.172:40011 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 200 UDP 192.168.1.34:13021 -> 213.199.179.174:40025 [proto: 125/Skype][1 pkts/71 bytes -> 0 pkts/0 bytes] - 201 TCP 192.168.1.34:51298 <-> 82.224.110.241:38895 [proto: 125/Skype][12 pkts/931 bytes <-> 2 pkts/219 bytes] - 202 UDP 192.168.1.34:59788 <-> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/82 bytes <-> 1 pkts/98 bytes][Host: e4593.g.akamaiedge.net] - 203 UDP 192.168.1.34:60688 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/648 bytes -> 0 pkts/0 bytes][Host: conn.skype.akadns.net] - 204 UDP 192.168.1.34:61016 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][1 pkts/80 bytes -> 0 pkts/0 bytes][Host: apps.skypeassets.com] - 205 ICMP 192.168.1.1:0 -> 192.168.1.34:0 [proto: 81/ICMP][4 pkts/328 bytes -> 0 pkts/0 bytes] - 206 UDP 192.168.1.34:63342 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] - 207 UDP 192.168.1.34:63514 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][8 pkts/576 bytes -> 0 pkts/0 bytes][Host: ui.skype.com] - 208 UDP 192.168.1.34:64240 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/511 bytes -> 0 pkts/0 bytes][Host: api.skype.com] - 209 UDP 192.168.1.34:64258 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/546 bytes -> 0 pkts/0 bytes][Host: b.config.skype.com] - 210 UDP 192.168.1.34:64364 -> 192.168.1.1:53 [proto: 5.125/DNS.Skype][7 pkts/616 bytes -> 0 pkts/0 bytes][Host: 335.0.7.7.3.rst0.r.skype.net] - 211 UDP 192.168.1.34:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][7 pkts/680 bytes -> 0 pkts/0 bytes] - 212 UDP 192.168.1.1:137 <-> 192.168.1.34:137 [proto: 10/NetBIOS][6 pkts/958 bytes <-> 2 pkts/184 bytes] - 213 UDP 192.168.1.34:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][2 pkts/432 bytes -> 0 pkts/0 bytes] - 214 UDP 192.168.1.1:138 -> 192.168.1.34:138 [proto: 10/NetBIOS][2 pkts/452 bytes -> 0 pkts/0 bytes] - 215 UDP 192.168.1.92:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][1 pkts/92 bytes -> 0 pkts/0 bytes] - 216 UDP 192.168.1.92:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/216 bytes -> 0 pkts/0 bytes] - 217 TCP 192.168.1.34:51318 <-> 212.161.8.36:13392 [proto: 125/Skype][7 pkts/571 bytes <-> 3 pkts/286 bytes] - 218 TCP 192.168.1.34:51236 <-> 111.221.74.45:40008 [proto: 125/Skype][11 pkts/844 bytes <-> 5 pkts/413 bytes] - 219 TCP 192.168.1.34:51267 <-> 111.221.74.18:40025 [proto: 125/Skype][10 pkts/785 bytes <-> 4 pkts/378 bytes] - 220 TCP 192.168.1.34:51248 <-> 111.221.77.175:40030 [proto: 125/Skype][11 pkts/858 bytes <-> 5 pkts/426 bytes] - 221 TCP 192.168.1.34:51227 <-> 17.172.100.36:443 [proto: 91.140/SSL.Apple][38 pkts/9082 bytes <-> 38 pkts/10499 bytes] - 222 IGMP 192.168.1.219:0 -> 224.0.0.22:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 223 IGMP 192.168.1.229:0 -> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] - 224 IGMP 192.168.0.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][1 pkts/46 bytes -> 0 pkts/0 bytes] - 225 TCP 192.168.1.34:51231 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][16 pkts/3461 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] - 226 TCP 192.168.1.34:51295 <-> 23.206.33.166:443 [proto: 91.125/SSL.Skype][11 pkts/2074 bytes <-> 1 pkts/74 bytes][client: apps.skype.com] - 227 UDP 192.168.1.34:13021 -> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 228 TCP 192.168.1.34:51255 <-> 157.55.130.142:40005 [proto: 125/Skype][13 pkts/1004 bytes <-> 4 pkts/318 bytes] - 229 UDP 192.168.0.254:1025 -> 239.255.255.250:1900 [proto: 12/SSDP][36 pkts/13402 bytes -> 0 pkts/0 bytes] - 230 TCP 192.168.1.34:51253 <-> 64.4.23.166:443 [proto: 91/SSL][11 pkts/1164 bytes <-> 3 pkts/268 bytes] - 231 UDP 192.168.1.92:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/142 bytes -> 0 pkts/0 bytes][Lucas-iMac.local] - 232 UDP 192.168.1.34:13021 -> 64.4.23.145:40027 [proto: 125/Skype][1 pkts/73 bytes -> 0 pkts/0 bytes] - 233 UDP 192.168.1.34:13021 -> 64.4.23.142:40023 [proto: 125/Skype][1 pkts/72 bytes -> 0 pkts/0 bytes] - 234 UDP 192.168.1.34:13021 -> 64.4.23.140:40003 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] - 235 TCP 192.168.1.34:51308 -> 80.121.84.93:443 [proto: 91/SSL][6 pkts/468 bytes -> 0 pkts/0 bytes] - 236 UDP 192.168.1.34:13021 -> 64.4.23.173:40017 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 237 UDP 192.168.1.34:13021 -> 64.4.23.148:40029 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 238 UDP 192.168.1.34:13021 -> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 239 UDP 192.168.1.34:13021 -> 64.4.23.171:40031 [proto: 125/Skype][1 pkts/79 bytes -> 0 pkts/0 bytes] - 240 UDP 192.168.1.34:13021 -> 64.4.23.158:40021 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 241 UDP 192.168.1.34:13021 -> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] - 242 UDP 192.168.1.34:13021 -> 64.4.23.176:40001 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] - 243 UDP 192.168.1.34:13021 -> 65.55.223.33:40002 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 244 UDP 192.168.1.34:13021 -> 65.55.223.32:40022 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 245 UDP 192.168.1.34:13021 -> 65.55.223.28:40014 [proto: 125/Skype][1 pkts/74 bytes -> 0 pkts/0 bytes] - 246 UDP 192.168.1.34:13021 -> 65.55.223.16:40032 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] - 247 UDP 192.168.1.34:13021 -> 65.55.223.15:40030 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 248 UDP 192.168.1.34:13021 -> 65.55.223.44:40020 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 249 UDP 192.168.1.34:13021 -> 65.55.223.42:40024 [proto: 125/Skype][1 pkts/76 bytes -> 0 pkts/0 bytes] - 250 UDP 192.168.1.34:13021 -> 65.55.223.43:40006 [proto: 125/Skype][1 pkts/77 bytes -> 0 pkts/0 bytes] - 251 UDP [fe80::c62c:3ff:fe06:49fe]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes -> 0 pkts/0 bytes] - 252 TCP 192.168.1.34:51240 <-> 111.221.74.45:443 [proto: 91.125/SSL.Skype][10 pkts/1022 bytes <-> 4 pkts/351 bytes] - 253 TCP 192.168.1.34:51268 <-> 111.221.74.18:443 [proto: 91.125/SSL.Skype][10 pkts/852 bytes <-> 4 pkts/351 bytes] - 254 TCP 192.168.1.34:51250 <-> 111.221.77.175:443 [proto: 91.125/SSL.Skype][10 pkts/1012 bytes <-> 4 pkts/351 bytes] - 255 TCP 192.168.1.34:51269 <-> 213.199.179.175:40029 [proto: 125/Skype][14 pkts/1106 bytes <-> 5 pkts/385 bytes] + 195 UDP 192.168.1.34:13021 -> 111.221.74.27:40027 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 196 UDP 192.168.1.34:13021 -> 65.55.223.65:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 197 UDP 192.168.1.34:13021 -> 65.55.223.16:40032 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 198 UDP 192.168.1.34:13021 -> 111.221.77.146:33033 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 199 UDP 192.168.1.34:13021 -> 111.221.74.44:40019 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 200 UDP 192.168.1.34:13021 -> 157.56.52.24:40032 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 201 UDP 192.168.1.34:13021 -> 111.221.77.160:40016 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 202 UDP 192.168.1.34:13021 -> 64.4.23.154:40032 [proto: 125/Skype][1 pkts/70 bytes -> 0 pkts/0 bytes] + 203 UDP 192.168.1.34:13021 -> 213.199.179.144:40009 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 204 UDP 192.168.1.34:13021 -> 64.4.23.151:40029 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 205 UDP 192.168.1.34:13021 -> 64.4.23.176:40001 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 206 UDP 192.168.1.34:13021 -> 157.55.235.172:40020 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 207 UDP 192.168.1.34:13021 -> 157.55.130.146:33033 [proto: 125/Skype][1 pkts/69 bytes -> 0 pkts/0 bytes] + 208 UDP 192.168.1.34:13021 -> 157.56.52.19:40020 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 209 UDP 192.168.1.34:13021 -> 157.55.235.160:40022 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 210 UDP 192.168.1.34:13021 -> 213.199.179.146:40030 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 211 UDP 192.168.1.34:13021 -> 111.221.77.145:40024 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 212 UDP 192.168.1.34:13021 -> 157.55.56.150:40014 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 213 UDP 192.168.1.34:13021 -> 157.55.130.175:40006 [proto: 125/Skype][1 pkts/68 bytes -> 0 pkts/0 bytes] + 214 UDP 192.168.1.34:13021 -> 157.55.56.167:40024 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 215 UDP 192.168.1.34:13021 -> 111.221.74.46:40027 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 216 UDP 192.168.1.34:13021 -> 157.56.52.12:40031 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 217 UDP 192.168.1.34:13021 -> 157.55.235.166:40015 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 218 UDP 192.168.1.34:13021 -> 157.55.130.144:40016 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 219 UDP 192.168.1.34:13021 -> 111.221.74.43:40001 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 220 UDP 192.168.1.34:13021 -> 157.55.130.160:40008 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 221 UDP 192.168.1.34:13021 -> 111.221.77.143:40022 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 222 UDP 192.168.1.34:13021 -> 111.221.74.42:40006 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 223 UDP 192.168.1.34:13021 -> 157.55.56.161:40031 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 224 UDP 192.168.1.34:13021 -> 64.4.23.140:40003 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 225 UDP 192.168.1.34:13021 -> 111.221.74.18:33033 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 226 UDP 192.168.1.34:13021 -> 157.56.52.29:40010 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 227 UDP 192.168.1.34:13021 -> 65.55.223.18:33033 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 228 UDP 192.168.1.34:13021 -> 65.55.223.18:40025 [proto: 125/Skype][1 pkts/67 bytes -> 0 pkts/0 bytes] + 229 UDP 192.168.1.34:13021 -> 157.55.130.154:40013 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 230 UDP 192.168.1.34:13021 -> 64.4.23.146:33033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 231 UDP 192.168.1.34:13021 -> 157.55.235.162:40033 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 232 UDP 192.168.1.34:13021 -> 157.55.56.143:40018 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 233 UDP 192.168.1.34:13021 -> 157.55.235.171:40006 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 234 UDP 192.168.1.34:13021 -> 65.55.223.20:40023 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 235 UDP 192.168.1.34:13021 -> 157.56.52.17:40013 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 236 UDP 192.168.1.34:13021 -> 64.4.23.170:40011 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 237 UDP 192.168.1.34:13021 -> 157.56.52.16:40032 [proto: 125/Skype][1 pkts/66 bytes -> 0 pkts/0 bytes] + 238 UDP 192.168.1.34:13021 -> 157.56.52.40:40017 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 239 UDP 192.168.1.34:13021 -> 157.55.130.156:40019 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 240 UDP 192.168.1.34:13021 -> 213.199.179.145:40024 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 241 UDP 192.168.1.34:13021 -> 157.55.130.159:40016 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 242 UDP 192.168.1.34:13021 -> 111.221.74.13:40009 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 243 UDP 192.168.1.34:13021 -> 111.221.74.38:40015 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 244 UDP 192.168.1.34:13021 -> 157.55.130.157:40013 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 245 UDP 192.168.1.34:13021 -> 111.221.77.171:40030 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 246 UDP 192.168.1.34:13021 -> 157.55.235.167:40029 [proto: 125/Skype][1 pkts/64 bytes -> 0 pkts/0 bytes] + 247 UDP 192.168.1.34:13021 -> 133.236.67.25:49195 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 248 IGMP 192.168.1.219:0 -> 233.89.188.1:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 249 UDP 192.168.1.34:13021 -> 157.55.235.141:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 250 UDP 192.168.1.34:13021 -> 111.221.74.14:443 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 251 UDP 192.168.1.34:13021 -> 189.188.134.174:22436 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 252 IGMP 192.168.1.229:0 -> 224.0.0.251:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 253 IGMP 192.168.1.219:0 -> 224.0.0.22:0 [proto: 82/IGMP][1 pkts/60 bytes -> 0 pkts/0 bytes] + 254 UDP 192.168.1.34:13021 -> 189.138.161.88:19521 [proto: 125/Skype][1 pkts/60 bytes -> 0 pkts/0 bytes] + 255 IGMP 192.168.0.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][1 pkts/46 bytes -> 0 pkts/0 bytes] Undetected flows: - 1 TCP 192.168.1.34:51294 <-> 81.83.77.141:17639 [proto: 0/Unknown][19 pkts/2794 bytes <-> 14 pkts/2303 bytes] - 2 TCP 192.168.1.34:51307 <-> 149.13.32.15:13392 [proto: 0/Unknown][19 pkts/16968 bytes <-> 7 pkts/531 bytes] - 3 TCP 192.168.1.34:51317 <-> 149.13.32.15:13392 [proto: 0/Unknown][12 pkts/5655 bytes <-> 8 pkts/553 bytes] - 4 TCP 192.168.1.34:51301 <-> 82.224.110.241:38895 [proto: 0/Unknown][11 pkts/835 bytes <-> 7 pkts/647 bytes] - 5 TCP 192.168.1.34:51315 <-> 212.161.8.36:13392 [proto: 0/Unknown][16 pkts/11797 bytes <-> 7 pkts/493 bytes] - 6 TCP 192.168.1.34:51319 -> 212.161.8.36:13392 [proto: 0/Unknown][1 pkts/78 bytes -> 0 pkts/0 bytes] - 7 TCP 192.168.1.34:51306 -> 80.121.84.93:62381 [proto: 0/Unknown][6 pkts/468 bytes -> 0 pkts/0 bytes] - 8 TCP 192.168.1.34:51314 <-> 93.79.224.176:14506 [proto: 0/Unknown][11 pkts/1407 bytes <-> 9 pkts/652 bytes] - 9 TCP 192.168.1.34:51300 <-> 76.167.161.6:20274 [proto: 0/Unknown][2 pkts/132 bytes <-> 1 pkts/74 bytes] - 10 TCP 192.168.1.34:51312 <-> 149.13.32.15:13392 [proto: 0/Unknown][18 pkts/15111 bytes <-> 7 pkts/531 bytes] - 11 UDP 192.168.1.34:59052 -> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes -> 0 pkts/0 bytes] - 12 TCP 192.168.1.34:51303 -> 80.121.84.93:62381 [proto: 0/Unknown][7 pkts/546 bytes -> 0 pkts/0 bytes] + 1 TCP 192.168.1.34:51307 <-> 149.13.32.15:13392 [proto: 0/Unknown][19 pkts/16968 bytes <-> 7 pkts/531 bytes] + 2 TCP 192.168.1.34:51312 <-> 149.13.32.15:13392 [proto: 0/Unknown][18 pkts/15111 bytes <-> 7 pkts/531 bytes] + 3 TCP 192.168.1.34:51315 <-> 212.161.8.36:13392 [proto: 0/Unknown][16 pkts/11797 bytes <-> 7 pkts/493 bytes] + 4 TCP 192.168.1.34:51317 <-> 149.13.32.15:13392 [proto: 0/Unknown][12 pkts/5655 bytes <-> 8 pkts/553 bytes] + 5 TCP 192.168.1.34:51294 <-> 81.83.77.141:17639 [proto: 0/Unknown][19 pkts/2794 bytes <-> 14 pkts/2303 bytes] + 6 TCP 192.168.1.34:51314 <-> 93.79.224.176:14506 [proto: 0/Unknown][11 pkts/1407 bytes <-> 9 pkts/652 bytes] + 7 TCP 192.168.1.34:51301 <-> 82.224.110.241:38895 [proto: 0/Unknown][11 pkts/835 bytes <-> 7 pkts/647 bytes] + 8 TCP 192.168.1.34:51303 -> 80.121.84.93:62381 [proto: 0/Unknown][7 pkts/546 bytes -> 0 pkts/0 bytes] + 9 TCP 192.168.1.34:51306 -> 80.121.84.93:62381 [proto: 0/Unknown][6 pkts/468 bytes -> 0 pkts/0 bytes] + 10 UDP 192.168.1.34:59052 -> 192.168.1.1:5351 [proto: 0/Unknown][4 pkts/216 bytes -> 0 pkts/0 bytes] + 11 TCP 192.168.1.34:51300 <-> 76.167.161.6:20274 [proto: 0/Unknown][2 pkts/132 bytes <-> 1 pkts/74 bytes] + 12 TCP 192.168.1.34:51319 -> 212.161.8.36:13392 [proto: 0/Unknown][1 pkts/78 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/starcraft_battle.pcap.out b/tests/result/starcraft_battle.pcap.out index 237cdc40c..4892d6fd6 100644 --- a/tests/result/starcraft_battle.pcap.out +++ b/tests/result/starcraft_battle.pcap.out @@ -10,55 +10,55 @@ QUIC 6 475 1 Github 3 234 1 Starcraft 236 51494 6 - 1 TCP 192.168.1.100:3516 <-> 80.239.186.21:80 [proto: 7/HTTP][6 pkts/549 bytes <-> 6 pkts/3131 bytes][Host: eu.launcher.battle.net] - 2 TCP 192.168.1.100:3518 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/473 bytes <-> 4 pkts/753 bytes][Host: nydus.battle.net] - 3 TCP 192.168.1.100:3522 <-> 80.239.186.21:80 [proto: 7/HTTP][6 pkts/549 bytes <-> 5 pkts/3071 bytes][Host: eu.launcher.battle.net] - 4 TCP 192.168.1.100:3524 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/481 bytes <-> 4 pkts/733 bytes][Host: nydus.battle.net] - 5 TCP 192.168.1.100:3526 <-> 80.239.186.40:80 [proto: 7/HTTP][6 pkts/547 bytes <-> 5 pkts/3139 bytes][Host: eu.battle.net] - 6 TCP 192.168.1.100:3427 <-> 80.239.208.193:1119 [proto: 213/Starcraft][6 pkts/376 bytes <-> 7 pkts/526 bytes] - 7 UDP 192.168.1.254:38605 -> 239.255.255.250:1900 [proto: 12/SSDP][11 pkts/4984 bytes -> 0 pkts/0 bytes] - 8 UDP 192.168.1.100:53145 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/152 bytes <-> 2 pkts/184 bytes][Host: nydus.battle.net] - 9 UDP 192.168.1.100:58831 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/172 bytes <-> 2 pkts/245 bytes][Host: 254.1.168.192.in-addr.arpa] - 10 UDP 192.168.1.100:58851 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/173 bytes <-> 2 pkts/282 bytes][Host: 22.40.194.173.in-addr.arpa] - 11 TCP 192.168.1.100:3484 <-> 173.194.113.224:443 [proto: 91.126/SSL.Google][2 pkts/108 bytes <-> 1 pkts/60 bytes] - 12 TCP 192.168.1.100:3486 <-> 199.38.164.156:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/120 bytes] - 13 UDP 192.168.1.100:53146 <-> 5.42.180.154:1119 [proto: 213/Starcraft][1 pkts/44 bytes <-> 1 pkts/60 bytes] - 14 TCP 192.168.1.100:3052 <-> 216.58.212.110:443 [proto: 91.126/SSL.Google][1 pkts/55 bytes <-> 1 pkts/66 bytes] - 15 TCP 192.168.1.100:3528 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/755 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] - 16 TCP 192.168.1.100:3530 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/752 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] - 17 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7/HTTP][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] - 18 TCP 192.168.1.100:3534 -> 2.228.46.112:80 [proto: 7/HTTP][1 pkts/66 bytes -> 0 pkts/0 bytes] - 19 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 20 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 21 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 22 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 23 TCP 192.168.1.100:3515 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/475 bytes <-> 4 pkts/749 bytes][Host: nydus.battle.net] - 24 TCP 192.168.1.100:3519 <-> 80.239.186.21:80 [proto: 7/HTTP][5 pkts/482 bytes <-> 4 pkts/497 bytes][Host: eu.launcher.battle.net] - 25 TCP 192.168.1.100:3521 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/475 bytes <-> 4 pkts/749 bytes][Host: nydus.battle.net] - 26 TCP 192.168.1.100:3523 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/483 bytes <-> 4 pkts/725 bytes][Host: nydus.battle.net] - 27 TCP 192.168.1.100:3525 <-> 80.239.186.40:80 [proto: 7/HTTP][6 pkts/545 bytes <-> 6 pkts/3388 bytes][Host: eu.battle.net] - 28 TCP 80.239.186.26:443 -> 192.168.1.100:3476 [proto: 91/SSL][1 pkts/60 bytes -> 0 pkts/0 bytes] - 29 TCP 192.168.1.100:2759 <-> 64.233.184.188:5228 [proto: 126/Google][1 pkts/55 bytes <-> 1 pkts/66 bytes] - 30 TCP 80.239.186.40:443 -> 192.168.1.100:3478 [proto: 91/SSL][1 pkts/60 bytes -> 0 pkts/0 bytes] - 31 TCP 192.168.1.100:3508 <-> 87.248.221.254:80 [proto: 7.60/HTTP.HTTP_Download][90 pkts/5059 bytes <-> 89 pkts/129145 bytes][Host: llnw.blizzard.com] - 32 UDP 173.194.40.22:443 <-> 192.168.1.100:53568 [proto: 188/QUIC][3 pkts/243 bytes <-> 3 pkts/232 bytes] - 33 UDP 192.168.1.100:55468 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/168 bytes <-> 2 pkts/388 bytes][Host: bnetcmsus-a.akamaihd.net] - 34 UDP 192.168.1.100:58818 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/172 bytes <-> 2 pkts/260 bytes][Host: 91.252.30.192.in-addr.arpa] - 35 UDP 192.168.1.100:58844 <-> 192.168.1.254:53 [proto: 5/DNS][1 pkts/86 bytes <-> 1 pkts/124 bytes][Host: 40.186.239.80.in-addr.arpa] - 36 UDP 192.168.1.100:60026 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/154 bytes <-> 2 pkts/288 bytes][Host: llnw.blizzard.com] - 37 TCP 192.168.1.100:3506 <-> 173.194.113.224:80 [proto: 7.126/HTTP.Google][5 pkts/632 bytes <-> 4 pkts/667 bytes][Host: www.google-analytics.com] - 38 TCP 192.30.252.91:443 <-> 192.168.1.100:3213 [proto: 91.203/SSL.Github][2 pkts/145 bytes <-> 1 pkts/89 bytes] - 39 IGMP 192.168.1.107:0 -> 224.0.0.22:0 [proto: 82/IGMP][2 pkts/120 bytes -> 0 pkts/0 bytes] - 40 TCP 192.168.1.100:3517 <-> 213.248.127.130:1119 [proto: 213/Starcraft][126 pkts/9157 bytes <-> 89 pkts/41021 bytes] - 41 UDP 192.168.1.100:6113 <-> 213.248.127.212:1119 [proto: 213/Starcraft][1 pkts/43 bytes <-> 1 pkts/60 bytes] - 42 UDP 192.168.1.100:6113 <-> 213.248.127.166:1119 [proto: 213/Starcraft][1 pkts/43 bytes <-> 1 pkts/60 bytes] - 43 TCP 192.168.1.100:3527 <-> 2.228.46.112:80 [proto: 7/HTTP][15 pkts/971 bytes <-> 26 pkts/36462 bytes][Host: bnetcmsus-a.akamaihd.net] - 44 TCP 192.168.1.100:3529 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/752 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] - 45 TCP 192.168.1.100:3531 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/752 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] - 46 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7/HTTP][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] - 47 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 48 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 49 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 50 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] - 51 TCP 192.168.1.100:3512 <-> 12.129.222.54:80 [proto: 7.76/HTTP.WorldOfWarcraft][5 pkts/367 bytes <-> 4 pkts/513 bytes][Host: us.scan.worldofwarcraft.com] - 52 UDP 192.168.1.100:53146 <-> 62.115.246.51:1119 [proto: 213/Starcraft][1 pkts/44 bytes <-> 1 pkts/60 bytes] + 1 TCP 192.168.1.100:3508 <-> 87.248.221.254:80 [proto: 7.60/HTTP.HTTP_Download][90 pkts/5059 bytes <-> 89 pkts/129145 bytes][Host: llnw.blizzard.com] + 2 TCP 192.168.1.100:3517 <-> 213.248.127.130:1119 [proto: 213/Starcraft][126 pkts/9157 bytes <-> 89 pkts/41021 bytes] + 3 TCP 192.168.1.100:3527 <-> 2.228.46.112:80 [proto: 7/HTTP][15 pkts/971 bytes <-> 26 pkts/36462 bytes][Host: bnetcmsus-a.akamaihd.net] + 4 TCP 192.168.1.100:3528 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/755 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] + 5 TCP 192.168.1.100:3531 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/752 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] + 6 TCP 192.168.1.100:3529 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/752 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] + 7 TCP 192.168.1.100:3530 <-> 2.228.46.112:80 [proto: 7/HTTP][11 pkts/752 bytes <-> 18 pkts/24350 bytes][Host: bnetcmsus-a.akamaihd.net] + 8 UDP 192.168.1.254:38605 -> 239.255.255.250:1900 [proto: 12/SSDP][11 pkts/4984 bytes -> 0 pkts/0 bytes] + 9 TCP 192.168.1.100:3525 <-> 80.239.186.40:80 [proto: 7/HTTP][6 pkts/545 bytes <-> 6 pkts/3388 bytes][Host: eu.battle.net] + 10 TCP 192.168.1.100:3526 <-> 80.239.186.40:80 [proto: 7/HTTP][6 pkts/547 bytes <-> 5 pkts/3139 bytes][Host: eu.battle.net] + 11 TCP 192.168.1.100:3516 <-> 80.239.186.21:80 [proto: 7/HTTP][6 pkts/549 bytes <-> 6 pkts/3131 bytes][Host: eu.launcher.battle.net] + 12 TCP 192.168.1.100:3522 <-> 80.239.186.21:80 [proto: 7/HTTP][6 pkts/549 bytes <-> 5 pkts/3071 bytes][Host: eu.launcher.battle.net] + 13 TCP 192.168.1.100:3506 <-> 173.194.113.224:80 [proto: 7.126/HTTP.Google][5 pkts/632 bytes <-> 4 pkts/667 bytes][Host: www.google-analytics.com] + 14 TCP 192.168.1.100:3518 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/473 bytes <-> 4 pkts/753 bytes][Host: nydus.battle.net] + 15 TCP 192.168.1.100:3521 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/475 bytes <-> 4 pkts/749 bytes][Host: nydus.battle.net] + 16 TCP 192.168.1.100:3515 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/475 bytes <-> 4 pkts/749 bytes][Host: nydus.battle.net] + 17 TCP 192.168.1.100:3524 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/481 bytes <-> 4 pkts/733 bytes][Host: nydus.battle.net] + 18 TCP 192.168.1.100:3523 <-> 80.239.186.26:80 [proto: 7/HTTP][6 pkts/483 bytes <-> 4 pkts/725 bytes][Host: nydus.battle.net] + 19 TCP 192.168.1.100:3519 <-> 80.239.186.21:80 [proto: 7/HTTP][5 pkts/482 bytes <-> 4 pkts/497 bytes][Host: eu.launcher.battle.net] + 20 TCP 192.168.1.100:3427 <-> 80.239.208.193:1119 [proto: 213/Starcraft][6 pkts/376 bytes <-> 7 pkts/526 bytes] + 21 TCP 192.168.1.100:3512 <-> 12.129.222.54:80 [proto: 7.76/HTTP.WorldOfWarcraft][5 pkts/367 bytes <-> 4 pkts/513 bytes][Host: us.scan.worldofwarcraft.com] + 22 UDP 192.168.1.100:55468 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/168 bytes <-> 2 pkts/388 bytes][Host: bnetcmsus-a.akamaihd.net] + 23 UDP 173.194.40.22:443 <-> 192.168.1.100:53568 [proto: 188/QUIC][3 pkts/243 bytes <-> 3 pkts/232 bytes] + 24 UDP 192.168.1.100:58851 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/173 bytes <-> 2 pkts/282 bytes][Host: 22.40.194.173.in-addr.arpa] + 25 UDP 192.168.1.100:60026 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/154 bytes <-> 2 pkts/288 bytes][Host: llnw.blizzard.com] + 26 UDP 192.168.1.100:58818 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/172 bytes <-> 2 pkts/260 bytes][Host: 91.252.30.192.in-addr.arpa] + 27 UDP 192.168.1.100:58831 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/172 bytes <-> 2 pkts/245 bytes][Host: 254.1.168.192.in-addr.arpa] + 28 TCP 192.168.1.100:3533 <-> 2.228.46.112:80 [proto: 7/HTTP][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] + 29 TCP 192.168.1.100:3532 <-> 2.228.46.112:80 [proto: 7/HTTP][3 pkts/320 bytes <-> 1 pkts/66 bytes][Host: bnetcmsus-a.akamaihd.net] + 30 UDP 192.168.1.100:53145 <-> 192.168.1.254:53 [proto: 5/DNS][2 pkts/152 bytes <-> 2 pkts/184 bytes][Host: nydus.battle.net] + 31 TCP 192.168.1.100:3491 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 32 TCP 192.168.1.100:3481 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 33 TCP 192.168.1.100:3479 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 34 TCP 192.168.1.100:3480 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 35 TCP 192.168.1.100:3489 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 36 TCP 192.168.1.100:3482 <-> 2.228.46.114:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 37 TCP 192.168.1.100:3492 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 38 TCP 192.168.1.100:3490 <-> 2.228.46.104:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/167 bytes] + 39 TCP 192.30.252.91:443 <-> 192.168.1.100:3213 [proto: 91.203/SSL.Github][2 pkts/145 bytes <-> 1 pkts/89 bytes] + 40 TCP 192.168.1.100:3486 <-> 199.38.164.156:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/120 bytes] + 41 UDP 192.168.1.100:58844 <-> 192.168.1.254:53 [proto: 5/DNS][1 pkts/86 bytes <-> 1 pkts/124 bytes][Host: 40.186.239.80.in-addr.arpa] + 42 TCP 192.168.1.100:3484 <-> 173.194.113.224:443 [proto: 91.126/SSL.Google][2 pkts/108 bytes <-> 1 pkts/60 bytes] + 43 TCP 192.168.1.100:3052 <-> 216.58.212.110:443 [proto: 91.126/SSL.Google][1 pkts/55 bytes <-> 1 pkts/66 bytes] + 44 TCP 192.168.1.100:2759 <-> 64.233.184.188:5228 [proto: 126/Google][1 pkts/55 bytes <-> 1 pkts/66 bytes] + 45 IGMP 192.168.1.107:0 -> 224.0.0.22:0 [proto: 82/IGMP][2 pkts/120 bytes -> 0 pkts/0 bytes] + 46 UDP 192.168.1.100:53146 <-> 5.42.180.154:1119 [proto: 213/Starcraft][1 pkts/44 bytes <-> 1 pkts/60 bytes] + 47 UDP 192.168.1.100:53146 <-> 62.115.246.51:1119 [proto: 213/Starcraft][1 pkts/44 bytes <-> 1 pkts/60 bytes] + 48 UDP 192.168.1.100:6113 <-> 213.248.127.212:1119 [proto: 213/Starcraft][1 pkts/43 bytes <-> 1 pkts/60 bytes] + 49 UDP 192.168.1.100:6113 <-> 213.248.127.166:1119 [proto: 213/Starcraft][1 pkts/43 bytes <-> 1 pkts/60 bytes] + 50 TCP 192.168.1.100:3534 -> 2.228.46.112:80 [proto: 7/HTTP][1 pkts/66 bytes -> 0 pkts/0 bytes] + 51 TCP 80.239.186.40:443 -> 192.168.1.100:3478 [proto: 91/SSL][1 pkts/60 bytes -> 0 pkts/0 bytes] + 52 TCP 80.239.186.26:443 -> 192.168.1.100:3476 [proto: 91/SSL][1 pkts/60 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/teredo.pcap.out b/tests/result/teredo.pcap.out index 82128ae62..0429c725a 100644 --- a/tests/result/teredo.pcap.out +++ b/tests/result/teredo.pcap.out @@ -1,7 +1,7 @@ Teredo 24 2574 5 - 1 UDP 10.112.16.106:52513 <-> 194.136.28.76:3544 [proto: 214/Teredo][2 pkts/206 bytes <-> 2 pkts/302 bytes] - 2 UDP 10.112.16.89:60381 <-> 194.136.28.76:3544 [proto: 214/Teredo][1 pkts/103 bytes <-> 1 pkts/151 bytes] - 3 UDP 10.112.16.67:51812 <-> 194.136.28.76:3544 [proto: 214/Teredo][10 pkts/930 bytes <-> 4 pkts/374 bytes] + 1 UDP 10.112.16.67:51812 <-> 194.136.28.76:3544 [proto: 214/Teredo][10 pkts/930 bytes <-> 4 pkts/374 bytes] + 2 UDP 10.112.16.106:52513 <-> 194.136.28.76:3544 [proto: 214/Teredo][2 pkts/206 bytes <-> 2 pkts/302 bytes] + 3 UDP 10.112.16.89:60381 <-> 194.136.28.76:3544 [proto: 214/Teredo][1 pkts/103 bytes <-> 1 pkts/151 bytes] 4 UDP 10.112.16.64:56154 <-> 194.136.28.76:3544 [proto: 214/Teredo][1 pkts/103 bytes <-> 1 pkts/151 bytes] 5 UDP 10.112.16.92:63448 <-> 194.136.28.76:3544 [proto: 214/Teredo][1 pkts/103 bytes <-> 1 pkts/151 bytes] diff --git a/tests/result/tinc.pcap.out b/tests/result/tinc.pcap.out index cd9506709..5f5a6f2e1 100644 --- a/tests/result/tinc.pcap.out +++ b/tests/result/tinc.pcap.out @@ -1,6 +1,6 @@ TINC 317 352291 4 - 1 TCP 131.114.168.27:59244 <-> 185.83.218.112:55655 [proto: 209/TINC][15 pkts/3169 bytes <-> 11 pkts/2932 bytes] - 2 TCP 131.114.168.27:49290 <-> 185.83.218.112:55656 [proto: 209/TINC][14 pkts/3812 bytes <-> 13 pkts/3098 bytes] - 3 UDP 131.114.168.27:55655 <-> 185.83.218.112:55655 [proto: 209/TINC][101 pkts/136966 bytes <-> 29 pkts/32550 bytes] - 4 UDP 185.83.218.112:55656 <-> 131.114.168.27:55656 [proto: 209/TINC][29 pkts/30038 bytes <-> 105 pkts/139726 bytes] + 1 UDP 185.83.218.112:55656 <-> 131.114.168.27:55656 [proto: 209/TINC][29 pkts/30038 bytes <-> 105 pkts/139726 bytes] + 2 UDP 131.114.168.27:55655 <-> 185.83.218.112:55655 [proto: 209/TINC][101 pkts/136966 bytes <-> 29 pkts/32550 bytes] + 3 TCP 131.114.168.27:49290 <-> 185.83.218.112:55656 [proto: 209/TINC][14 pkts/3812 bytes <-> 13 pkts/3098 bytes] + 4 TCP 131.114.168.27:59244 <-> 185.83.218.112:55655 [proto: 209/TINC][15 pkts/3169 bytes <-> 11 pkts/2932 bytes] diff --git a/tests/result/tor.pcap.out b/tests/result/tor.pcap.out index 4dd9a3974..9eb65c600 100644 --- a/tests/result/tor.pcap.out +++ b/tests/result/tor.pcap.out @@ -4,14 +4,14 @@ DHCPV6 6 906 1 Dropbox 10 1860 1 Tor 3676 3014362 7 - 1 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][10 pkts/1860 bytes -> 0 pkts/0 bytes] - 2 UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][6 pkts/906 bytes -> 0 pkts/0 bytes] - 3 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 163/Tor][16 pkts/3691 bytes <-> 16 pkts/6740 bytes] - 4 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 163/Tor][16 pkts/4858 bytes <-> 18 pkts/6284 bytes] - 5 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 163/Tor][17 pkts/5489 bytes <-> 21 pkts/7031 bytes] - 6 TCP 192.168.1.252:51104 -> 157.56.30.46:443 [proto: 91/SSL][1 pkts/60 bytes -> 0 pkts/0 bytes] - 7 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes -> 0 pkts/0 bytes] - 8 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 163/Tor][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes] - 9 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 163/Tor][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes] - 10 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][15 pkts/3634 bytes <-> 14 pkts/6027 bytes] - 11 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 163/Tor][62 pkts/22715 bytes <-> 79 pkts/45823 bytes] + 1 TCP 192.168.1.252:51176 <-> 38.229.70.53:443 [proto: 163/Tor][693 pkts/181364 bytes <-> 1133 pkts/1331914 bytes] + 2 TCP 192.168.1.252:51112 <-> 38.229.70.53:443 [proto: 163/Tor][580 pkts/145960 bytes <-> 996 pkts/1242832 bytes] + 3 TCP 192.168.1.252:51110 <-> 91.143.93.242:443 [proto: 163/Tor][62 pkts/22715 bytes <-> 79 pkts/45823 bytes] + 4 TCP 192.168.1.252:51175 <-> 91.143.93.242:443 [proto: 163/Tor][17 pkts/5489 bytes <-> 21 pkts/7031 bytes] + 5 TCP 192.168.1.252:51111 <-> 46.59.52.31:443 [proto: 163/Tor][16 pkts/4858 bytes <-> 18 pkts/6284 bytes] + 6 TCP 192.168.1.252:51174 <-> 212.83.155.250:443 [proto: 163/Tor][16 pkts/3691 bytes <-> 16 pkts/6740 bytes] + 7 TCP 192.168.1.252:51185 <-> 62.210.137.230:443 [proto: 163/Tor][15 pkts/3634 bytes <-> 14 pkts/6027 bytes] + 8 UDP 192.168.1.1:17500 -> 192.168.1.255:17500 [proto: 121/Dropbox][10 pkts/1860 bytes -> 0 pkts/0 bytes] + 9 UDP [fe80::c583:1972:5728:7323]:546 -> [ff02::1:2]:547 [proto: 103/DHCPV6][6 pkts/906 bytes -> 0 pkts/0 bytes] + 10 UDP 192.168.1.252:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][1 pkts/252 bytes -> 0 pkts/0 bytes] + 11 TCP 192.168.1.252:51104 -> 157.56.30.46:443 [proto: 91/SSL][1 pkts/60 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/ubntac2.pcap.out b/tests/result/ubntac2.pcap.out index c4103cdf1..b45250ecf 100644 --- a/tests/result/ubntac2.pcap.out +++ b/tests/result/ubntac2.pcap.out @@ -1,10 +1,10 @@ UBNTAC2 8 1736 8 - 1 UDP 192.168.1.1:42838 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 1 UDP 192.168.1.1:55321 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] 2 UDP 192.168.1.1:47746 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] 3 UDP 192.168.1.1:52220 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] 4 UDP 192.168.1.1:59772 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] - 5 UDP 192.168.1.1:34085 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 5 UDP 192.168.1.1:42838 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] 6 UDP 192.168.1.1:44641 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] 7 UDP 192.168.1.1:47871 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] - 8 UDP 192.168.1.1:55321 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] + 8 UDP 192.168.1.1:34085 -> 255.255.255.255:10001 [proto: 31/UBNTAC2][1 pkts/217 bytes -> 0 pkts/0 bytes][UniFiSecurityGateway.ER-e120.v4.3.33.4936086.161203.2031] diff --git a/tests/result/viber_mobile.pcap.out b/tests/result/viber_mobile.pcap.out index c11180994..5c294075d 100644 --- a/tests/result/viber_mobile.pcap.out +++ b/tests/result/viber_mobile.pcap.out @@ -13,85 +13,85 @@ WhatsApp 38 6756 3 Viber 10081 1413446 4 Amazon 8 528 1 - 1 TCP 192.168.200.222:57999 <-> 74.125.130.188:5228 [proto: 91.126/SSL.Google][7 pkts/1505 bytes <-> 8 pkts/953 bytes][client: mtalk.google.com] - 2 UDP 192.168.200.222:39413 -> 122.146.250.88:9415 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] - 3 TCP 192.168.200.222:59011 <-> 74.125.130.188:5228 [proto: 126/Google][8 pkts/3893 bytes <-> 8 pkts/1945 bytes] - 4 UDP 192.168.200.222:39413 <-> 134.249.176.227:7108 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/329 bytes] - 5 TCP 192.168.200.222:60828 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] - 6 TCP 192.168.200.222:44058 <-> 158.85.58.23:443 [proto: 91.142/SSL.WhatsApp][4 pkts/277 bytes <-> 3 pkts/255 bytes] - 7 UDP 192.168.200.222:15836 <-> 8.8.8.8:53 [proto: 5.122/DNS.GMail][1 pkts/75 bytes <-> 1 pkts/166 bytes][Host: mail.google.com] - 8 UDP 192.168.200.222:39413 <-> 84.202.23.122:22737 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 9 UDP 192.168.200.222:39413 <-> 178.57.5.53:64731 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/352 bytes] - 10 UDP 192.168.200.222:39413 <-> 60.71.113.134:37764 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 11 UDP 192.168.200.222:39413 <-> 23.113.222.89:49548 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/357 bytes] - 12 UDP 192.168.200.222:39413 <-> 1.163.234.205:58738 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/325 bytes] - 13 TCP 222.165.163.117:443 <-> 192.168.200.222:47424 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] - 14 UDP 192.168.200.222:39413 -> 90.19.187.56:40500 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] - 15 UDP 192.168.200.222:39413 <-> 80.47.129.1:44420 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 16 UDP 192.168.200.222:39413 -> 70.112.231.62:51413 [proto: 37/BitTorrent][3 pkts/438 bytes -> 0 pkts/0 bytes] - 17 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][19 pkts/3115 bytes <-> 18 pkts/13053 bytes][client: graph.facebook.com][server: *.facebook.com] - 18 UDP 192.168.200.222:39413 <-> 94.6.33.9:46735 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 19 TCP 216.58.199.206:443 <-> 192.168.200.222:58663 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 20 UDP 192.168.200.222:39413 -> 88.176.55.218:51413 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] - 21 UDP 192.168.200.222:39413 -> 182.57.65.243:27736 [proto: 37/BitTorrent][2 pkts/292 bytes -> 0 pkts/0 bytes] - 22 TCP 192.168.200.222:38778 -> 54.251.141.219:80 [proto: 7.178/HTTP.Amazon][8 pkts/528 bytes -> 0 pkts/0 bytes] - 23 UDP 192.168.200.222:47874 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/76 bytes <-> 1 pkts/121 bytes][Host: mtalk.google.com] - 24 TCP 192.168.200.222:39339 <-> 54.169.63.186:443 [proto: 91.144/SSL.Viber][4 pkts/272 bytes <-> 2 pkts/140 bytes] - 25 UDP 192.168.200.222:39413 <-> 92.249.148.218:53810 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 26 TCP 192.168.200.222:33161 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] - 27 TCP 192.168.200.222:52491 <-> 31.13.79.245:443 [proto: 91.119/SSL.Facebook][4 pkts/328 bytes <-> 7 pkts/745 bytes] - 28 UDP 192.168.200.222:55854 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/70 bytes <-> 1 pkts/166 bytes][Host: s.jpush.cn] - 29 UDP 192.168.200.222:58434 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes <-> 1 pkts/272 bytes][Host: e.crashlytics.com] - 30 UDP 192.168.200.222:39413 <-> 2.85.108.0:21241 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 31 TCP 192.168.200.222:36675 -> 112.124.219.82:80 [proto: 7/HTTP][9 pkts/2188 bytes -> 0 pkts/0 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] - 32 UDP 192.168.200.222:39413 <-> 24.43.1.206:17193 [proto: 37/BitTorrent][4 pkts/996 bytes <-> 4 pkts/996 bytes] - 33 UDP 192.168.200.222:60474 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes <-> 1 pkts/141 bytes][Host: easytomessage.com] - 34 ICMP 192.168.200.222:0 -> 8.8.8.8:0 [proto: 81.126/ICMP.Google][1 pkts/148 bytes -> 0 pkts/0 bytes] - 35 UDP 192.168.200.222:39413 <-> 186.220.157.231:45235 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 36 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][17 pkts/2087 bytes <-> 14 pkts/5520 bytes][client: googleads.g.doubleclick.net][server: *.g.doubleclick.net] - 37 ICMP 37.214.167.82:0 -> 192.168.200.222:0 [proto: 81/ICMP][1 pkts/174 bytes -> 0 pkts/0 bytes] - 38 UDP 192.168.200.222:39413 <-> 80.234.25.211:12624 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 39 TCP 192.168.200.222:46761 <-> 112.124.219.93:80 [proto: 7/HTTP][5 pkts/520 bytes <-> 4 pkts/563 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] - 40 TCP 192.168.200.222:52977 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] - 41 UDP 192.168.200.222:39413 <-> 120.57.18.255:10201 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 42 UDP 192.168.200.222:16965 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/84 bytes <-> 1 pkts/282 bytes][Host: settings.crashlytics.com] - 43 UDP 192.168.200.222:39413 <-> 24.43.1.206:40959 [proto: 37/BitTorrent][2 pkts/498 bytes <-> 2 pkts/498 bytes] - 44 UDP 192.168.200.222:39413 <-> 46.181.170.37:36237 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 45 UDP 192.168.200.222:22761 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/107 bytes <-> 1 pkts/139 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] - 46 UDP 192.168.200.222:39413 <-> 188.165.225.138:6881 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/334 bytes] - 47 UDP 192.168.200.222:39149 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/72 bytes <-> 1 pkts/120 bytes][Host: sis.jpush.io] - 48 TCP 222.165.163.93:443 <-> 192.168.200.222:52635 [proto: 91/SSL][4 pkts/319 bytes <-> 3 pkts/210 bytes] - 49 TCP 222.165.163.93:443 <-> 192.168.200.222:52641 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] - 50 UDP 192.168.200.222:39413 -> 178.157.199.144:22133 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] - 51 UDP 192.168.200.222:39695 <-> 8.8.8.8:53 [proto: 5.119/DNS.Facebook][1 pkts/78 bytes <-> 1 pkts/136 bytes][Host: graph.facebook.com] - 52 TCP 222.165.163.91:443 <-> 192.168.200.222:56243 [proto: 91/SSL][4 pkts/319 bytes <-> 3 pkts/210 bytes] - 53 ICMP 192.168.200.222:0 -> 192.168.1.1:0 [proto: 81/ICMP][2 pkts/196 bytes -> 0 pkts/0 bytes] - 54 UDP 192.168.200.222:43901 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/87 bytes <-> 1 pkts/176 bytes][Host: googleads.g.doubleclick.net] - 55 TCP 74.125.68.239:443 <-> 192.168.200.222:37376 [proto: 91.126/SSL.Google][4 pkts/303 bytes <-> 3 pkts/229 bytes] - 56 TCP 192.168.200.222:43287 <-> 52.0.253.46:443 [proto: 64/SSL_No_Cert][22 pkts/3437 bytes <-> 14 pkts/2437 bytes] - 57 UDP 192.168.200.222:52263 <-> 8.8.8.8:53 [proto: 5.142/DNS.WhatsApp][1 pkts/75 bytes <-> 1 pkts/203 bytes][Host: e9.whatsapp.net] - 58 TCP 192.168.200.222:51146 <-> 23.21.254.189:443 [proto: 91/SSL][12 pkts/2322 bytes <-> 10 pkts/6919 bytes][client: e.crashlytics.com][server: *.crashlytics.com] - 59 TCP 52.0.253.46:4244 <-> 192.168.200.222:43454 [proto: 144/Viber][8 pkts/1187 bytes <-> 8 pkts/856 bytes] - 60 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][17 pkts/3286 bytes <-> 16 pkts/11246 bytes][client: mail.google.com][server: mail.google.com] - 61 UDP 192.168.200.222:39413 -> 37.214.167.82:11905 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] - 62 UDP 192.168.200.222:58921 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/144 bytes <-> 2 pkts/192 bytes][Host: sis.jpush.io] - 63 TCP 192.168.200.222:43646 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] - 64 TCP 192.168.200.222:40005 <-> 108.168.176.234:443 [proto: 142/WhatsApp][13 pkts/1401 bytes <-> 16 pkts/4545 bytes] - 65 UDP 192.168.200.222:39413 <-> 93.100.186.199:6881 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/352 bytes] - 66 UDP 192.168.200.222:48564 <-> 54.169.63.186:7985 [proto: 144/Viber][4192 pkts/515224 bytes <-> 5865 pkts/895629 bytes] - 67 UDP 192.168.200.222:48564 <-> 54.169.63.186:7987 [proto: 144/Viber][1 pkts/76 bytes <-> 1 pkts/62 bytes] - 68 TCP 192.168.200.222:50854 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] - 69 UDP 192.168.200.222:39413 -> 81.192.42.247:15057 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] - 70 UDP 192.168.200.222:39413 <-> 92.245.59.202:12998 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] - 71 TCP 192.168.200.222:51765 -> 108.160.172.205:443 [proto: 91.121/SSL.Dropbox][2 pkts/163 bytes -> 0 pkts/0 bytes] - 72 TCP 192.168.200.222:52269 <-> 107.22.192.179:443 [proto: 91/SSL][15 pkts/2237 bytes <-> 11 pkts/7820 bytes][client: settings.crashlytics.com][server: *.crashlytics.com] + 1 UDP 192.168.200.222:48564 <-> 54.169.63.186:7985 [proto: 144/Viber][4192 pkts/515224 bytes <-> 5865 pkts/895629 bytes] + 2 TCP 192.168.200.222:38039 <-> 31.13.79.246:443 [proto: 91.119/SSL.Facebook][19 pkts/3115 bytes <-> 18 pkts/13053 bytes][client: graph.facebook.com][server: *.facebook.com] + 3 TCP 192.168.200.222:42040 <-> 74.125.200.18:443 [proto: 91.122/SSL.GMail][17 pkts/3286 bytes <-> 16 pkts/11246 bytes][client: mail.google.com][server: mail.google.com] + 4 TCP 192.168.200.222:52269 <-> 107.22.192.179:443 [proto: 91/SSL][15 pkts/2237 bytes <-> 11 pkts/7820 bytes][client: settings.crashlytics.com][server: *.crashlytics.com] + 5 TCP 192.168.200.222:51146 <-> 23.21.254.189:443 [proto: 91/SSL][12 pkts/2322 bytes <-> 10 pkts/6919 bytes][client: e.crashlytics.com][server: *.crashlytics.com] + 6 TCP 192.168.200.222:51055 <-> 74.125.68.156:443 [proto: 91.126/SSL.Google][17 pkts/2087 bytes <-> 14 pkts/5520 bytes][client: googleads.g.doubleclick.net][server: *.g.doubleclick.net] + 7 TCP 192.168.200.222:40005 <-> 108.168.176.234:443 [proto: 142/WhatsApp][13 pkts/1401 bytes <-> 16 pkts/4545 bytes] + 8 TCP 192.168.200.222:43287 <-> 52.0.253.46:443 [proto: 64/SSL_No_Cert][22 pkts/3437 bytes <-> 14 pkts/2437 bytes] + 9 TCP 192.168.200.222:59011 <-> 74.125.130.188:5228 [proto: 126/Google][8 pkts/3893 bytes <-> 8 pkts/1945 bytes] + 10 TCP 192.168.200.222:57999 <-> 74.125.130.188:5228 [proto: 91.126/SSL.Google][7 pkts/1505 bytes <-> 8 pkts/953 bytes][client: mtalk.google.com] + 11 TCP 192.168.200.222:36675 -> 112.124.219.82:80 [proto: 7/HTTP][9 pkts/2188 bytes -> 0 pkts/0 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] + 12 TCP 52.0.253.46:4244 <-> 192.168.200.222:43454 [proto: 144/Viber][8 pkts/1187 bytes <-> 8 pkts/856 bytes] + 13 UDP 192.168.200.222:39413 <-> 24.43.1.206:17193 [proto: 37/BitTorrent][4 pkts/996 bytes <-> 4 pkts/996 bytes] + 14 TCP 192.168.200.222:46761 <-> 112.124.219.93:80 [proto: 7/HTTP][5 pkts/520 bytes <-> 4 pkts/563 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] + 15 TCP 192.168.200.222:52491 <-> 31.13.79.245:443 [proto: 91.119/SSL.Facebook][4 pkts/328 bytes <-> 7 pkts/745 bytes] + 16 UDP 192.168.200.222:39413 <-> 24.43.1.206:40959 [proto: 37/BitTorrent][2 pkts/498 bytes <-> 2 pkts/498 bytes] + 17 TCP 74.125.68.239:443 <-> 192.168.200.222:37376 [proto: 91.126/SSL.Google][4 pkts/303 bytes <-> 3 pkts/229 bytes] + 18 TCP 192.168.200.222:44058 <-> 158.85.58.23:443 [proto: 91.142/SSL.WhatsApp][4 pkts/277 bytes <-> 3 pkts/255 bytes] + 19 TCP 222.165.163.91:443 <-> 192.168.200.222:56243 [proto: 91/SSL][4 pkts/319 bytes <-> 3 pkts/210 bytes] + 20 TCP 222.165.163.93:443 <-> 192.168.200.222:52635 [proto: 91/SSL][4 pkts/319 bytes <-> 3 pkts/210 bytes] + 21 TCP 192.168.200.222:38778 -> 54.251.141.219:80 [proto: 7.178/HTTP.Amazon][8 pkts/528 bytes -> 0 pkts/0 bytes] + 22 UDP 192.168.200.222:39413 <-> 84.202.23.122:22737 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 23 UDP 192.168.200.222:39413 <-> 80.234.25.211:12624 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 24 UDP 192.168.200.222:39413 <-> 80.47.129.1:44420 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 25 UDP 192.168.200.222:39413 <-> 2.85.108.0:21241 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 26 UDP 192.168.200.222:39413 <-> 92.249.148.218:53810 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 27 UDP 192.168.200.222:39413 <-> 186.220.157.231:45235 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 28 UDP 192.168.200.222:39413 <-> 120.57.18.255:10201 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 29 UDP 192.168.200.222:39413 <-> 94.6.33.9:46735 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 30 UDP 192.168.200.222:39413 <-> 92.245.59.202:12998 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 31 UDP 192.168.200.222:39413 <-> 60.71.113.134:37764 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 32 UDP 192.168.200.222:39413 <-> 46.181.170.37:36237 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/359 bytes] + 33 UDP 192.168.200.222:39413 <-> 23.113.222.89:49548 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/357 bytes] + 34 UDP 192.168.200.222:39413 <-> 178.57.5.53:64731 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/352 bytes] + 35 UDP 192.168.200.222:39413 <-> 93.100.186.199:6881 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/352 bytes] + 36 UDP 192.168.200.222:39413 <-> 188.165.225.138:6881 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/334 bytes] + 37 UDP 192.168.200.222:39413 <-> 134.249.176.227:7108 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/329 bytes] + 38 UDP 192.168.200.222:39413 <-> 1.163.234.205:58738 [proto: 37/BitTorrent][1 pkts/146 bytes <-> 1 pkts/325 bytes] + 39 UDP 192.168.200.222:39413 -> 70.112.231.62:51413 [proto: 37/BitTorrent][3 pkts/438 bytes -> 0 pkts/0 bytes] + 40 TCP 192.168.200.222:39339 <-> 54.169.63.186:443 [proto: 91.144/SSL.Viber][4 pkts/272 bytes <-> 2 pkts/140 bytes] + 41 TCP 222.165.163.93:443 <-> 192.168.200.222:52641 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] + 42 TCP 222.165.163.117:443 <-> 192.168.200.222:47424 [proto: 91/SSL][3 pkts/253 bytes <-> 2 pkts/132 bytes] + 43 UDP 192.168.200.222:16965 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/84 bytes <-> 1 pkts/282 bytes][Host: settings.crashlytics.com] + 44 UDP 192.168.200.222:58434 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes <-> 1 pkts/272 bytes][Host: e.crashlytics.com] + 45 UDP 192.168.200.222:58921 <-> 8.8.8.8:53 [proto: 5/DNS][2 pkts/144 bytes <-> 2 pkts/192 bytes][Host: sis.jpush.io] + 46 TCP 192.168.200.222:50854 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] + 47 TCP 192.168.200.222:33161 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] + 48 TCP 192.168.200.222:60828 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] + 49 TCP 192.168.200.222:52977 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] + 50 TCP 192.168.200.222:43646 -> 93.184.221.200:80 [proto: 7/HTTP][5 pkts/300 bytes -> 0 pkts/0 bytes] + 51 UDP 192.168.200.222:39413 -> 182.57.65.243:27736 [proto: 37/BitTorrent][2 pkts/292 bytes -> 0 pkts/0 bytes] + 52 UDP 192.168.200.222:52263 <-> 8.8.8.8:53 [proto: 5.142/DNS.WhatsApp][1 pkts/75 bytes <-> 1 pkts/203 bytes][Host: e9.whatsapp.net] + 53 UDP 192.168.200.222:43901 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/87 bytes <-> 1 pkts/176 bytes][Host: googleads.g.doubleclick.net] + 54 UDP 192.168.200.222:22761 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/107 bytes <-> 1 pkts/139 bytes][Host: androiddailyyogacn.oss-cn-hangzhou.aliyuncs.com] + 55 UDP 192.168.200.222:15836 <-> 8.8.8.8:53 [proto: 5.122/DNS.GMail][1 pkts/75 bytes <-> 1 pkts/166 bytes][Host: mail.google.com] + 56 UDP 192.168.200.222:55854 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/70 bytes <-> 1 pkts/166 bytes][Host: s.jpush.cn] + 57 UDP 192.168.200.222:60474 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/77 bytes <-> 1 pkts/141 bytes][Host: easytomessage.com] + 58 UDP 192.168.200.222:39695 <-> 8.8.8.8:53 [proto: 5.119/DNS.Facebook][1 pkts/78 bytes <-> 1 pkts/136 bytes][Host: graph.facebook.com] + 59 UDP 192.168.200.222:47874 <-> 8.8.8.8:53 [proto: 5.126/DNS.Google][1 pkts/76 bytes <-> 1 pkts/121 bytes][Host: mtalk.google.com] + 60 ICMP 192.168.200.222:0 -> 192.168.1.1:0 [proto: 81/ICMP][2 pkts/196 bytes -> 0 pkts/0 bytes] + 61 UDP 192.168.200.222:39149 <-> 8.8.8.8:53 [proto: 5/DNS][1 pkts/72 bytes <-> 1 pkts/120 bytes][Host: sis.jpush.io] + 62 ICMP 37.214.167.82:0 -> 192.168.200.222:0 [proto: 81/ICMP][1 pkts/174 bytes -> 0 pkts/0 bytes] + 63 TCP 192.168.200.222:51765 -> 108.160.172.205:443 [proto: 91.121/SSL.Dropbox][2 pkts/163 bytes -> 0 pkts/0 bytes] + 64 ICMP 192.168.200.222:0 -> 8.8.8.8:0 [proto: 81.126/ICMP.Google][1 pkts/148 bytes -> 0 pkts/0 bytes] + 65 UDP 192.168.200.222:39413 -> 90.19.187.56:40500 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] + 66 UDP 192.168.200.222:39413 -> 81.192.42.247:15057 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] + 67 UDP 192.168.200.222:39413 -> 37.214.167.82:11905 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] + 68 UDP 192.168.200.222:39413 -> 88.176.55.218:51413 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] + 69 UDP 192.168.200.222:39413 -> 178.157.199.144:22133 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] + 70 UDP 192.168.200.222:39413 -> 122.146.250.88:9415 [proto: 37/BitTorrent][1 pkts/146 bytes -> 0 pkts/0 bytes] + 71 UDP 192.168.200.222:48564 <-> 54.169.63.186:7987 [proto: 144/Viber][1 pkts/76 bytes <-> 1 pkts/62 bytes] + 72 TCP 216.58.199.206:443 <-> 192.168.200.222:58663 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] Undetected flows: - 1 TCP 192.168.200.222:55554 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/276 bytes <-> 2 pkts/170 bytes] + 1 UDP 192.168.200.222:48564 -> 175.157.52.135:37300 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] 2 UDP 192.168.200.222:48564 -> 175.157.52.135:37299 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] 3 UDP 192.168.200.222:48564 -> 175.157.52.135:37301 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] - 4 TCP 192.168.200.222:55565 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/341 bytes <-> 3 pkts/208 bytes] + 4 UDP 192.168.200.222:48564 -> 175.157.52.135:37302 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] 5 UDP 192.168.200.222:48564 -> 10.216.246.82:59027 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] - 6 UDP 192.168.200.222:48564 -> 175.157.52.135:37300 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] - 7 UDP 192.168.200.222:48564 -> 175.157.52.135:37302 [proto: 0/Unknown][30 pkts/1800 bytes -> 0 pkts/0 bytes] + 6 TCP 192.168.200.222:55565 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/341 bytes <-> 3 pkts/208 bytes] + 7 TCP 192.168.200.222:55554 <-> 113.31.80.142:7003 [proto: 0/Unknown][4 pkts/276 bytes <-> 2 pkts/170 bytes] diff --git a/tests/result/vnc.pcap.out b/tests/result/vnc.pcap.out index d469a61ac..488a3ed33 100644 --- a/tests/result/vnc.pcap.out +++ b/tests/result/vnc.pcap.out @@ -1,4 +1,4 @@ VNC 4551 329158 2 - 1 TCP 95.237.48.208:51559 <-> 192.168.2.110:6900 [proto: 89/VNC][684 pkts/54893 bytes <-> 324 pkts/17720 bytes] - 2 TCP 95.237.48.208:59791 <-> 192.168.2.110:6900 [proto: 89/VNC][2485 pkts/199101 bytes <-> 1058 pkts/57444 bytes] + 1 TCP 95.237.48.208:59791 <-> 192.168.2.110:6900 [proto: 89/VNC][2485 pkts/199101 bytes <-> 1058 pkts/57444 bytes] + 2 TCP 95.237.48.208:51559 <-> 192.168.2.110:6900 [proto: 89/VNC][684 pkts/54893 bytes <-> 324 pkts/17720 bytes] diff --git a/tests/result/waze.pcap.out b/tests/result/waze.pcap.out index 76335c434..fa340868a 100644 --- a/tests/result/waze.pcap.out +++ b/tests/result/waze.pcap.out @@ -7,38 +7,38 @@ SSL 8 432 2 Waze 484 289335 19 WhatsApp 15 1341 1 - 1 TCP 10.8.0.1:50828 <-> 108.168.176.228:443 [proto: 142/WhatsApp][8 pkts/673 bytes <-> 7 pkts/668 bytes] - 2 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][server: *.world.waze.com] - 3 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][server: *.world.waze.com] - 4 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][server: *.world.waze.com] - 5 TCP 10.16.37.157:41823 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] - 6 TCP 10.16.37.157:43991 <-> 200.160.4.31:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] - 7 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][server: *.waze.com] - 8 TCP 10.8.0.1:45169 <-> 200.160.4.198:80 [proto: 7/HTTP][2 pkts/108 bytes <-> 2 pkts/108 bytes] - 9 TCP 10.16.37.157:46473 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] - 10 TCP 10.16.37.157:52953 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] - 11 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][server: *.world.waze.com] - 12 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][server: *.world.waze.com] - 13 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][server: *.world.waze.com] - 14 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][server: *.world.waze.com] - 15 TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][8 pkts/594 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] - 16 TCP 10.8.0.1:45538 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/555 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] - 17 TCP 10.8.0.1:45540 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/553 bytes <-> 7 pkts/733 bytes][Host: roadshields.waze.com] + 1 TCP 10.8.0.1:36100 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][52 pkts/10860 bytes <-> 55 pkts/74852 bytes][server: *.world.waze.com] + 2 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7.60/HTTP.HTTP_Download][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Host: xtra1.gpsonextra.net] + 3 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][server: *.world.waze.com] + 4 TCP 10.8.0.1:36312 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][17 pkts/2176 bytes <-> 15 pkts/42443 bytes][server: *.world.waze.com] + 5 TCP 10.8.0.1:36316 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][15 pkts/1540 bytes <-> 13 pkts/26346 bytes][server: *.world.waze.com] + 6 TCP 10.8.0.1:36102 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][19 pkts/2646 bytes <-> 18 pkts/9338 bytes][server: *.world.waze.com] + 7 TCP 10.8.0.1:39010 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][8 pkts/1034 bytes <-> 8 pkts/8151 bytes][server: *.world.waze.com] + 8 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][server: *.waze.com] + 9 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][server: *.waze.com] + 10 TCP 10.8.0.1:36134 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][12 pkts/1650 bytes <-> 12 pkts/4935 bytes][server: *.world.waze.com] + 11 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][server: *.world.waze.com] + 12 TCP 10.8.0.1:36314 <-> 176.34.186.180:443 [proto: 91.135/SSL.Waze][11 pkts/1260 bytes <-> 9 pkts/4413 bytes][server: *.world.waze.com] + 13 TCP 10.8.0.1:51050 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][9 pkts/1184 bytes <-> 9 pkts/4369 bytes][server: *.waze.com] + 14 TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Host: roadshields.waze.com] + 15 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 64/SSL_No_Cert][7 pkts/1137 bytes <-> 6 pkts/1005 bytes] + 16 TCP 10.8.0.1:45536 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][8 pkts/594 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] + 17 TCP 10.8.0.1:50828 <-> 108.168.176.228:443 [proto: 142/WhatsApp][8 pkts/673 bytes <-> 7 pkts/668 bytes] 18 TCP 10.8.0.1:45546 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/557 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] - 19 TCP 10.8.0.1:45552 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/552 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] - 20 TCP 10.8.0.1:45554 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/550 bytes <-> 7 pkts/769 bytes][Host: cres.waze.com] - 21 TCP 10.8.0.1:54915 <-> 65.39.128.135:80 [proto: 7.60/HTTP.HTTP_Download][19 pkts/1309 bytes <-> 18 pkts/61896 bytes][Host: xtra1.gpsonextra.net] - 22 TCP 10.8.0.1:36585 <-> 173.194.118.48:443 [proto: 64/SSL_No_Cert][7 pkts/1137 bytes <-> 6 pkts/1005 bytes] - 23 TCP 10.8.0.1:43089 <-> 200.160.4.198:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/108 bytes] - 24 TCP 10.8.0.1:51049 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][12 pkts/1282 bytes <-> 11 pkts/6541 bytes][server: *.waze.com] - 25 TCP 10.8.0.1:51051 <-> 176.34.103.105:443 [proto: 91.135/SSL.Waze][11 pkts/1228 bytes <-> 10 pkts/6487 bytes][server: *.waze.com] - 26 UDP 10.8.0.1:46214 <-> 200.89.75.198:123 [proto: 9/NTP][1 pkts/90 bytes <-> 1 pkts/90 bytes] - 27 TCP 10.16.37.157:52746 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] + 19 TCP 10.8.0.1:45538 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/555 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] + 20 TCP 10.8.0.1:45552 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/552 bytes <-> 7 pkts/771 bytes][Host: cres.waze.com] + 21 TCP 10.8.0.1:45554 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/550 bytes <-> 7 pkts/769 bytes][Host: cres.waze.com] + 22 TCP 10.8.0.1:45540 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][7 pkts/553 bytes <-> 7 pkts/733 bytes][Host: roadshields.waze.com] + 23 TCP 10.16.37.157:43991 <-> 200.160.4.31:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] + 24 TCP 10.16.37.157:41823 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] + 25 TCP 10.16.37.157:52953 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] + 26 TCP 10.16.37.157:52746 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] + 27 TCP 10.16.37.157:46473 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/120 bytes <-> 2 pkts/108 bytes] 28 TCP 10.8.0.1:60574 <-> 200.160.4.49:80 [proto: 7/HTTP][2 pkts/108 bytes <-> 2 pkts/108 bytes] 29 TCP 10.8.0.1:60479 <-> 200.160.4.49:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/108 bytes] - 30 TCP 10.8.0.1:36137 <-> 46.51.173.182:443 [proto: 91.135/SSL.Waze][12 pkts/1522 bytes <-> 11 pkts/4220 bytes][server: *.world.waze.com] - 31 TCP 10.8.0.1:39021 <-> 52.17.114.219:443 [proto: 91.135/SSL.Waze][17 pkts/1962 bytes <-> 16 pkts/56934 bytes][server: *.world.waze.com] - 32 TCP 10.8.0.1:45529 <-> 54.230.227.172:80 [proto: 7.135/HTTP.Waze][9 pkts/591 bytes <-> 8 pkts/3424 bytes][Host: roadshields.waze.com] + 30 TCP 10.8.0.1:45169 <-> 200.160.4.198:80 [proto: 7/HTTP][2 pkts/108 bytes <-> 2 pkts/108 bytes] + 31 TCP 10.8.0.1:43089 <-> 200.160.4.198:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/108 bytes] + 32 UDP 10.8.0.1:46214 <-> 200.89.75.198:123 [proto: 9/NTP][1 pkts/90 bytes <-> 1 pkts/90 bytes] Undetected flows: diff --git a/tests/result/webex.pcap.out b/tests/result/webex.pcap.out index 6b130dd20..296e50889 100644 --- a/tests/result/webex.pcap.out +++ b/tests/result/webex.pcap.out @@ -6,60 +6,60 @@ Google 17 6375 1 Webex 1380 818407 43 Amazon 3 174 1 - 1 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 2 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][server: *.webex.com] - 3 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][3 pkts/245 bytes <-> 2 pkts/108 bytes] - 4 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][server: *.webex.com] - 5 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][4 pkts/423 bytes <-> 4 pkts/216 bytes] - 6 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][4 pkts/423 bytes <-> 4 pkts/216 bytes] - 7 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][server: *.webex.com] - 8 TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][2 pkts/128 bytes <-> 1 pkts/54 bytes] - 9 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 10 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 11 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][6 pkts/407 bytes <-> 5 pkts/4177 bytes][server: *.webex.com] - 12 UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 141/Webex][14 pkts/1071 bytes <-> 2 pkts/100 bytes] - 13 TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][5 pkts/624 bytes <-> 5 pkts/767 bytes][Host: cp.pushwoosh.com] - 14 TCP 10.133.206.47:59447 <-> 107.20.242.44:443 [proto: 91.178/SSL.Amazon][1 pkts/66 bytes <-> 2 pkts/108 bytes] - 15 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] - 16 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][server: *.webex.com] - 17 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] - 18 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] - 19 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][server: *.webex.com] - 20 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 21 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/SSL][4 pkts/452 bytes <-> 4 pkts/216 bytes] - 22 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][10 pkts/1465 bytes <-> 11 pkts/1065 bytes] - 23 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][10 pkts/1388 bytes <-> 10 pkts/1087 bytes] - 24 TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][7 pkts/1280 bytes <-> 6 pkts/453 bytes] - 25 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][5 pkts/560 bytes <-> 4 pkts/345 bytes][client: radcom.webex.com] - 26 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][server: *.webex.com] - 27 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][server: *.webex.com] - 28 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 29 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][server: *.webex.com] - 30 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][7 pkts/501 bytes <-> 4 pkts/216 bytes] - 31 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][server: *.webex.com] - 32 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][8 pkts/841 bytes <-> 7 pkts/4376 bytes][server: *.webex.com] - 33 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][4 pkts/299 bytes <-> 4 pkts/216 bytes] - 34 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][8 pkts/841 bytes <-> 7 pkts/4376 bytes][server: *.webex.com] - 35 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][server: *.webex.com] - 36 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][7 pkts/461 bytes <-> 6 pkts/4231 bytes][server: *.webex.com] - 37 TCP 10.8.0.1:59756 <-> 78.46.237.91:80 [proto: 7/HTTP][6 pkts/970 bytes <-> 6 pkts/821 bytes][Host: cp.pushwoosh.com] - 38 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][9 pkts/895 bytes <-> 8 pkts/4398 bytes][server: *.webex.com] - 39 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 40 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][server: *.webex.com] - 41 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][client: ssl.google-analytics.com][server: *.google-analytics.com] - 42 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][server: *.webex.com] - 43 TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 91/SSL][1 pkts/66 bytes <-> 2 pkts/108 bytes] - 44 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][22 pkts/15356 bytes -> 0 pkts/0 bytes] - 45 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/SSL][3 pkts/209 bytes <-> 2 pkts/108 bytes] - 46 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][9 pkts/1357 bytes <-> 9 pkts/615 bytes] - 47 TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][9 pkts/1357 bytes <-> 9 pkts/615 bytes] - 48 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][server: www.webex.com] - 49 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][client: radcom.webex.com][server: *.webex.com] - 50 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][client: radcom.webex.com] - 51 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][6 pkts/614 bytes <-> 5 pkts/399 bytes][client: radcom.webex.com] - 52 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][server: *.webex.com] - 53 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][server: *.webex.com] - 54 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][server: *.webex.com] - 55 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] - 56 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91/SSL][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][client: api.crittercism.com][server: *.crittercism.com] - 57 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][server: *.webex.com] + 1 TCP 10.8.0.1:51155 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][256 pkts/14707 bytes <-> 257 pkts/329379 bytes][server: *.webex.com] + 2 TCP 10.8.0.1:41348 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][28 pkts/4815 bytes <-> 28 pkts/104881 bytes][client: radcom.webex.com] + 3 TCP 10.8.0.1:41346 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][48 pkts/11540 bytes <-> 47 pkts/80696 bytes][client: radcom.webex.com][server: *.webex.com] + 4 TCP 10.8.0.1:41358 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][19 pkts/2005 bytes <-> 19 pkts/40477 bytes][server: *.webex.com] + 5 TCP 10.8.0.1:51194 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][12 pkts/1531 bytes <-> 12 pkts/34357 bytes][server: *.webex.com] + 6 TCP 10.8.0.1:41354 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][13 pkts/2145 bytes <-> 13 pkts/24239 bytes][server: *.webex.com] + 7 TCP 10.8.0.1:51154 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][55 pkts/12583 bytes <-> 50 pkts/6703 bytes][server: *.webex.com] + 8 UDP 10.8.0.1:64538 -> 172.16.1.75:5060 [proto: 100/SIP][22 pkts/15356 bytes -> 0 pkts/0 bytes] + 9 TCP 10.8.0.1:51857 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][29 pkts/4559 bytes <-> 21 pkts/5801 bytes][server: *.webex.com] + 10 TCP 10.8.0.1:46211 <-> 54.241.32.14:443 [proto: 91/SSL][16 pkts/1984 bytes <-> 14 pkts/7584 bytes][client: api.crittercism.com][server: *.crittercism.com] + 11 TCP 10.8.0.1:41386 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][9 pkts/1417 bytes <-> 8 pkts/6984 bytes][server: *.webex.com] + 12 TCP 10.8.0.1:41419 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][7 pkts/1309 bytes <-> 7 pkts/6930 bytes][server: *.webex.com] + 13 TCP 10.8.0.1:52730 <-> 173.243.4.76:443 [proto: 91.141/SSL.Webex][9 pkts/1369 bytes <-> 8 pkts/6621 bytes][server: *.webex.com] + 14 TCP 10.8.0.1:44492 <-> 64.68.104.140:443 [proto: 91.141/SSL.Webex][9 pkts/1369 bytes <-> 8 pkts/6600 bytes][server: *.webex.com] + 15 TCP 10.8.0.1:45814 <-> 62.109.231.3:443 [proto: 91.141/SSL.Webex][8 pkts/1315 bytes <-> 8 pkts/6653 bytes][server: *.webex.com] + 16 TCP 10.8.0.1:47498 <-> 209.197.222.159:443 [proto: 91.141/SSL.Webex][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][server: *.webex.com] + 17 TCP 10.8.0.1:57647 <-> 64.68.121.153:443 [proto: 91.141/SSL.Webex][7 pkts/1261 bytes <-> 7 pkts/6535 bytes][server: *.webex.com] + 18 TCP 10.8.0.1:37129 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][9 pkts/1369 bytes <-> 9 pkts/5838 bytes][server: *.webex.com] + 19 TCP 10.8.0.1:51370 <-> 64.68.105.97:443 [proto: 91.141/SSL.Webex][8 pkts/1315 bytes <-> 8 pkts/5784 bytes][server: *.webex.com] + 20 TCP 10.8.0.1:55669 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1830 bytes <-> 12 pkts/4811 bytes][server: *.webex.com] + 21 TCP 10.8.0.1:55687 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] + 22 TCP 10.8.0.1:55671 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] + 23 TCP 10.8.0.1:55665 <-> 173.243.0.110:443 [proto: 91.141/SSL.Webex][11 pkts/1798 bytes <-> 11 pkts/4757 bytes][server: *.webex.com] + 24 TCP 10.8.0.1:43433 <-> 216.58.208.40:443 [proto: 91.126/SSL.Google][9 pkts/1540 bytes <-> 8 pkts/4835 bytes][client: ssl.google-analytics.com][server: *.google-analytics.com] + 25 TCP 10.8.0.1:51646 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][9 pkts/895 bytes <-> 8 pkts/4398 bytes][server: *.webex.com] + 26 TCP 10.8.0.1:55969 <-> 64.68.121.99:443 [proto: 91.141/SSL.Webex][8 pkts/841 bytes <-> 7 pkts/4376 bytes][server: *.webex.com] + 27 TCP 10.8.0.1:52219 <-> 64.68.121.100:443 [proto: 91.141/SSL.Webex][8 pkts/841 bytes <-> 7 pkts/4376 bytes][server: *.webex.com] + 28 TCP 10.8.0.1:49048 <-> 23.44.253.243:443 [proto: 91.141/SSL.Webex][7 pkts/1181 bytes <-> 7 pkts/4021 bytes][server: www.webex.com] + 29 TCP 10.8.0.1:47116 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][7 pkts/461 bytes <-> 6 pkts/4231 bytes][server: *.webex.com] + 30 TCP 10.8.0.1:47841 <-> 114.29.200.11:443 [proto: 91.141/SSL.Webex][6 pkts/407 bytes <-> 5 pkts/4177 bytes][server: *.webex.com] + 31 TCP 10.8.0.1:33551 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][10 pkts/1465 bytes <-> 11 pkts/1065 bytes] + 32 TCP 10.8.0.1:33553 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][10 pkts/1388 bytes <-> 10 pkts/1087 bytes] + 33 TCP 10.8.0.1:33554 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][9 pkts/1357 bytes <-> 9 pkts/615 bytes] + 34 TCP 10.8.0.1:33512 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][9 pkts/1357 bytes <-> 9 pkts/615 bytes] + 35 TCP 10.8.0.1:59756 <-> 78.46.237.91:80 [proto: 7/HTTP][6 pkts/970 bytes <-> 6 pkts/821 bytes][Host: cp.pushwoosh.com] + 36 TCP 10.8.0.1:33559 <-> 80.74.110.68:443 [proto: 64/SSL_No_Cert][7 pkts/1280 bytes <-> 6 pkts/453 bytes] + 37 TCP 10.8.0.1:59757 <-> 78.46.237.91:80 [proto: 7/HTTP][5 pkts/624 bytes <-> 5 pkts/767 bytes][Host: cp.pushwoosh.com] + 38 UDP 10.8.0.1:51772 <-> 62.109.229.158:9000 [proto: 141/Webex][14 pkts/1071 bytes <-> 2 pkts/100 bytes] + 39 TCP 10.8.0.1:41350 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][6 pkts/614 bytes <-> 5 pkts/399 bytes][client: radcom.webex.com] + 40 TCP 10.8.0.1:41351 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][5 pkts/560 bytes <-> 4 pkts/345 bytes][client: radcom.webex.com] + 41 TCP 10.8.0.1:51190 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][7 pkts/501 bytes <-> 4 pkts/216 bytes] + 42 TCP 10.8.0.1:51135 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] + 43 TCP 10.8.0.1:51134 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] + 44 TCP 10.8.0.1:37139 <-> 64.68.105.98:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] + 45 TCP 10.8.0.1:41394 <-> 64.68.105.103:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] + 46 TCP 10.8.0.1:47135 <-> 114.29.202.139:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] + 47 TCP 10.8.0.1:51676 <-> 114.29.204.49:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] + 48 TCP 10.8.0.1:41757 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][6 pkts/427 bytes <-> 5 pkts/270 bytes] + 49 TCP 10.8.0.1:33511 <-> 80.74.110.68:443 [proto: 91/SSL][4 pkts/452 bytes <-> 4 pkts/216 bytes] + 50 TCP 10.8.0.1:51833 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][4 pkts/423 bytes <-> 4 pkts/216 bytes] + 51 TCP 10.8.0.1:51839 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][4 pkts/423 bytes <-> 4 pkts/216 bytes] + 52 TCP 10.8.0.1:41726 <-> 114.29.213.212:443 [proto: 91.141/SSL.Webex][4 pkts/299 bytes <-> 4 pkts/216 bytes] + 53 TCP 10.8.0.1:51195 <-> 62.109.224.120:443 [proto: 91.141/SSL.Webex][3 pkts/245 bytes <-> 2 pkts/108 bytes] + 54 TCP 10.133.206.47:33459 <-> 80.74.110.68:443 [proto: 91/SSL][3 pkts/209 bytes <-> 2 pkts/108 bytes] + 55 TCP 10.8.0.1:51859 <-> 62.109.229.158:443 [proto: 91.141/SSL.Webex][2 pkts/128 bytes <-> 1 pkts/54 bytes] + 56 TCP 10.133.206.47:54651 <-> 185.63.147.10:443 [proto: 91/SSL][1 pkts/66 bytes <-> 2 pkts/108 bytes] + 57 TCP 10.133.206.47:59447 <-> 107.20.242.44:443 [proto: 91.178/SSL.Amazon][1 pkts/66 bytes <-> 2 pkts/108 bytes] diff --git a/tests/result/wechat.pcap.out b/tests/result/wechat.pcap.out index 401404d8a..8a2781ce3 100644 --- a/tests/result/wechat.pcap.out +++ b/tests/result/wechat.pcap.out @@ -14,108 +14,108 @@ Google 92 20878 15 LLMNR 12 944 6 WeChat 1251 606425 49 - 1 UDP 192.168.1.103:33915 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 2 TCP 192.168.1.103:40740 <-> 203.205.151.211:443 [proto: 91/SSL][4 pkts/216 bytes <-> 4 pkts/253 bytes] - 3 UDP 192.168.1.103:41759 -> 192.168.1.254:53 [proto: 5/DNS][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 2.debian.pool.ntp.org] - 4 UDP 192.168.1.103:42589 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com] - 5 UDP 192.168.1.103:43317 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 6 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] - 7 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/SSL.QQ][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][client: res.wx.qq.com][server: wx.qq.com] - 8 UDP 192.168.1.103:44063 -> 192.168.1.254:53 [proto: 5/DNS][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org] - 9 UDP [fe80::91f9:3df3:7436:6cd6]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][14 pkts/1428 bytes -> 0 pkts/0 bytes] - 10 TCP 192.168.1.103:53220 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][4 pkts/264 bytes <-> 4 pkts/319 bytes] - 11 TCP 192.168.1.103:47627 <-> 216.58.205.78:443 [proto: 91.126/SSL.Google][3 pkts/198 bytes <-> 4 pkts/319 bytes] - 12 TCP 192.168.1.103:49787 <-> 216.58.205.142:443 [proto: 91.126/SSL.Google][3 pkts/198 bytes <-> 3 pkts/198 bytes] - 13 UDP 192.168.1.103:53515 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] - 14 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/SSL.WeChat][3 pkts/802 bytes <-> 3 pkts/198 bytes] - 15 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 91.197/SSL.WeChat][88 pkts/15114 bytes <-> 91 pkts/61842 bytes] - 16 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] + 1 TCP 203.205.151.162:443 <-> 192.168.1.103:54058 [proto: 91.197/SSL.WeChat][88 pkts/15114 bytes <-> 91 pkts/61842 bytes] + 2 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][client: web.wechat.com][server: web.wechat.com] + 3 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][client: web.wechat.com][server: web.wechat.com] + 4 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][client: web.wechat.com][server: web.wechat.com] + 5 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][client: web.wechat.com][server: web.wechat.com] + 6 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][client: web.wechat.com][server: web.wechat.com] + 7 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][client: web.wechat.com][server: web.wechat.com] + 8 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][client: web.wechat.com][server: web.wechat.com] + 9 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][client: web.wechat.com][server: web.wechat.com] + 10 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][client: web.wechat.com][server: web.wechat.com] + 11 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][client: web.wechat.com][server: web.wechat.com] + 12 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][client: web.wechat.com][server: web.wechat.com] + 13 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][client: web.wechat.com][server: web.wechat.com] + 14 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][client: web.wechat.com][server: web.wechat.com] + 15 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][client: web.wechat.com][server: web.wechat.com] + 16 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com][server: web.wechat.com] 17 TCP 192.168.1.103:54092 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/6438 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com][server: web.wechat.com] - 18 TCP 192.168.1.103:54094 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/10193 bytes <-> 18 pkts/8262 bytes][client: web.wechat.com][server: web.wechat.com] - 19 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] - 20 TCP 192.168.1.103:54098 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][22 pkts/8507 bytes <-> 16 pkts/6575 bytes][client: web.wechat.com][server: web.wechat.com] - 21 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][client: web.wechat.com][server: web.wechat.com] - 22 TCP 192.168.1.103:54102 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][13 pkts/2317 bytes <-> 15 pkts/15724 bytes][client: web.wechat.com][server: web.wechat.com] - 23 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] - 24 TCP 192.168.1.103:54110 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 25 TCP 192.168.1.103:54106 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes -> 0 pkts/0 bytes] - 26 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 4 pkts/280 bytes] - 27 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 4 pkts/280 bytes] - 28 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][client: web.wechat.com][server: web.wechat.com] - 29 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] - 30 UDP 192.168.1.103:56367 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 31 TCP 192.168.1.103:58036 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][15 pkts/6450 bytes <-> 11 pkts/5068 bytes][client: web.wechat.com][server: web.wechat.com] - 32 TCP 192.168.1.103:58038 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][34 pkts/17556 bytes <-> 25 pkts/12172 bytes][client: web.wechat.com][server: web.wechat.com] - 33 TCP 192.168.1.103:58040 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][29 pkts/17545 bytes <-> 20 pkts/6923 bytes][client: web.wechat.com][server: web.wechat.com] - 34 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][client: web.wechat.com][server: web.wechat.com] - 35 UDP 192.168.1.103:58165 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 36 TCP 192.168.1.103:58226 -> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][6 pkts/396 bytes -> 0 pkts/0 bytes] - 37 UDP 192.168.1.103:59567 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/79 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com.lan] - 38 TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/SSL.Google][3 pkts/1078 bytes -> 0 pkts/0 bytes] - 39 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.126/QUIC.Google][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Host: docs.google.com] - 40 UDP 192.168.1.100:57401 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: mcztmpkc] - 41 TCP 192.168.1.103:34996 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] - 42 TCP 192.168.1.103:35000 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] - 43 UDP [fe80::7a92:9cff:fe0f:a88e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][44 pkts/4488 bytes -> 0 pkts/0 bytes] - 44 TCP 192.168.1.103:54205 -> 64.233.167.188:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes -> 0 pkts/0 bytes] - 45 ICMPV6 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][2 pkts/132 bytes -> 0 pkts/0 bytes] - 46 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/180 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz] - 47 TCP 192.168.1.103:52020 -> 95.101.180.179:80 [proto: 7/HTTP][8 pkts/528 bytes -> 0 pkts/0 bytes] - 48 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][5 pkts/2035 bytes <-> 5 pkts/1937 bytes][Host: ssl.gstatic.com] - 49 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.124/SSL.YouTube][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][client: safebrowsing.googleusercontent.com][server: *.googleusercontent.com] - 50 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: iphonedimonica] - 51 UDP 192.168.1.103:37578 -> 193.204.114.233:123 [proto: 9/NTP][1 pkts/90 bytes -> 0 pkts/0 bytes] - 52 TCP 192.168.1.103:40741 <-> 203.205.151.211:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/108 bytes] - 53 UDP 192.168.1.103:42074 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][2 pkts/158 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com.lan] - 54 UDP 192.168.1.103:42856 -> 192.168.1.254:53 [proto: 5/DNS][2 pkts/170 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org.lan] - 55 ICMPV6 [::]:0 -> [ff02::1:ff86:6c5b]:0 [proto: 102/ICMPV6][1 pkts/86 bytes -> 0 pkts/0 bytes] - 56 TCP 192.168.1.103:43851 <-> 203.205.158.34:443 [proto: 91/SSL][5 pkts/290 bytes <-> 4 pkts/234 bytes] - 57 UDP 192.168.1.103:44346 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] - 58 UDP 192.168.1.103:45366 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] - 59 UDP 192.168.1.103:46078 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/234 bytes][Host: ssl.gstatic.com] - 60 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Host: ssl.gstatic.com] - 61 UDP 192.168.1.103:53734 <-> 192.168.1.254:53 [proto: 5.124/DNS.YouTube][1 pkts/94 bytes <-> 1 pkts/272 bytes][Host: safebrowsing.googleusercontent.com] - 62 TCP 192.168.1.103:54085 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 63 TCP 192.168.1.103:54089 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7826 bytes <-> 20 pkts/18761 bytes][client: web.wechat.com][server: web.wechat.com] - 64 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][9 pkts/966 bytes <-> 6 pkts/3571 bytes][client: web.wechat.com][server: web.wechat.com] - 65 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 3 pkts/214 bytes] - 66 TCP 192.168.1.103:54095 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][21 pkts/7825 bytes <-> 18 pkts/17898 bytes][client: web.wechat.com][server: web.wechat.com] - 67 TCP 192.168.1.103:54097 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/12063 bytes <-> 19 pkts/7932 bytes][client: web.wechat.com][server: web.wechat.com] - 68 TCP 192.168.1.103:54099 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][25 pkts/9013 bytes <-> 29 pkts/27440 bytes][client: web.wechat.com][server: web.wechat.com] - 69 TCP 192.168.1.103:54101 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][46 pkts/12575 bytes <-> 40 pkts/53424 bytes][client: web.wechat.com][server: web.wechat.com] - 70 TCP 192.168.1.103:54103 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][50 pkts/23958 bytes <-> 46 pkts/39684 bytes][client: web.wechat.com][server: web.wechat.com] - 71 TCP 192.168.1.103:54109 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 72 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][client: web.wechat.com][server: web.wechat.com] - 73 TCP 192.168.1.103:54113 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][38 pkts/8933 bytes <-> 35 pkts/35112 bytes][client: web.wechat.com][server: web.wechat.com] - 74 TCP 192.168.1.103:54117 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][20 pkts/8397 bytes <-> 16 pkts/6566 bytes][client: web.wechat.com][server: web.wechat.com] - 75 TCP 192.168.1.103:54119 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][26 pkts/8129 bytes <-> 24 pkts/22836 bytes][client: web.wechat.com][server: web.wechat.com] - 76 TCP 192.168.1.103:54183 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/2508 bytes -> 0 pkts/0 bytes] - 77 UDP 192.168.1.103:55862 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/227 bytes][Host: docs.google.com] - 78 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 3 pkts/214 bytes] - 79 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][13 pkts/866 bytes <-> 4 pkts/280 bytes] - 80 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] - 81 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][3 pkts/206 bytes <-> 2 pkts/148 bytes] - 82 UDP 192.168.1.103:60356 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/74 bytes <-> 1 pkts/391 bytes][Host: web.wechat.com] - 83 UDP 192.168.1.103:60562 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/234 bytes][Host: ssl.gstatic.com] - 84 UDP 192.168.1.100:49832 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: cansaqcq] - 85 UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][3 pkts/751 bytes -> 0 pkts/0 bytes] - 86 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][9 pkts/828 bytes -> 0 pkts/0 bytes] - 87 UDP 192.168.1.100:54124 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz] - 88 IGMP 192.168.1.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][4 pkts/200 bytes -> 0 pkts/0 bytes] - 89 IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][15 pkts/810 bytes -> 0 pkts/0 bytes] - 90 IGMP 192.168.1.103:0 -> 224.0.0.22:0 [proto: 82/IGMP][4 pkts/216 bytes -> 0 pkts/0 bytes] - 91 IGMP 192.168.1.108:0 -> 224.0.0.22:0 [proto: 82/IGMP][1 pkts/54 bytes -> 0 pkts/0 bytes] - 92 TCP 192.168.1.103:36017 <-> 64.233.167.188:5228 [proto: 126/Google][10 pkts/660 bytes <-> 10 pkts/660 bytes] - 93 TCP 192.168.1.103:34999 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] - 94 TCP 192.168.1.103:34981 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] - 95 TCP 192.168.1.103:39207 -> 95.101.34.34:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] - 96 TCP 192.168.1.103:39195 -> 95.101.34.34:80 [proto: 7/HTTP][8 pkts/528 bytes -> 0 pkts/0 bytes] - 97 TCP 192.168.1.103:39231 -> 95.101.34.34:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] - 98 UDP 192.168.1.103:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][44 pkts/3608 bytes -> 0 pkts/0 bytes] - 99 UDP 192.168.1.100:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][14 pkts/1148 bytes -> 0 pkts/0 bytes] - 100 UDP 192.168.1.103:19041 <-> 192.168.1.254:53 [proto: 5.48/DNS.QQ][1 pkts/73 bytes <-> 1 pkts/537 bytes][Host: res.wx.qq.com] - 101 UDP [fe80::91f9:3df3:7436:6cd6]:49195 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: cansaqcq] - 102 UDP [fe80::91f9:3df3:7436:6cd6]:50577 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: mcztmpkc] + 18 TCP 192.168.1.103:54100 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][15 pkts/4627 bytes <-> 12 pkts/5905 bytes][client: web.wechat.com][server: web.wechat.com] + 19 TCP 192.168.1.103:54111 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][14 pkts/4626 bytes <-> 12 pkts/5135 bytes][client: web.wechat.com][server: web.wechat.com] + 20 TCP 192.168.1.103:58042 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][12 pkts/4516 bytes <-> 10 pkts/5004 bytes][client: web.wechat.com][server: web.wechat.com] + 21 TCP 192.168.1.103:43850 <-> 203.205.158.34:443 [proto: 91.48/SSL.QQ][12 pkts/2005 bytes <-> 12 pkts/6787 bytes][client: res.wx.qq.com][server: wx.qq.com] + 22 TCP 192.168.1.103:38657 <-> 172.217.22.14:443 [proto: 91.124/SSL.YouTube][17 pkts/2413 bytes <-> 17 pkts/6268 bytes][client: safebrowsing.googleusercontent.com][server: *.googleusercontent.com] + 23 UDP 192.168.1.103:51507 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][7 pkts/3507 bytes <-> 6 pkts/3329 bytes][Host: ssl.gstatic.com] + 24 UDP 192.168.1.103:57591 <-> 216.58.198.46:443 [proto: 188.126/QUIC.Google][6 pkts/2687 bytes <-> 7 pkts/2125 bytes][Host: docs.google.com] + 25 TCP 192.168.1.103:54120 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] + 26 TCP 192.168.1.103:58041 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3711 bytes][client: web.wechat.com][server: web.wechat.com] + 27 TCP 192.168.1.103:54118 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 8 pkts/3703 bytes][client: web.wechat.com][server: web.wechat.com] + 28 TCP 192.168.1.103:54104 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] + 29 TCP 192.168.1.103:54090 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] + 30 TCP 192.168.1.103:54096 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][10 pkts/1032 bytes <-> 7 pkts/3637 bytes][client: web.wechat.com][server: web.wechat.com] + 31 TCP 192.168.1.103:54091 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][9 pkts/966 bytes <-> 6 pkts/3571 bytes][client: web.wechat.com][server: web.wechat.com] + 32 UDP [fe80::7a92:9cff:fe0f:a88e]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][44 pkts/4488 bytes -> 0 pkts/0 bytes] + 33 UDP 192.168.1.103:35601 <-> 172.217.23.67:443 [proto: 188.126/QUIC.Google][5 pkts/2035 bytes <-> 5 pkts/1937 bytes][Host: ssl.gstatic.com] + 34 UDP 192.168.1.103:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][44 pkts/3608 bytes -> 0 pkts/0 bytes] + 35 TCP 192.168.1.103:54183 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/2508 bytes -> 0 pkts/0 bytes] + 36 UDP [fe80::91f9:3df3:7436:6cd6]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][14 pkts/1428 bytes -> 0 pkts/0 bytes] + 37 TCP 192.168.1.103:36017 <-> 64.233.167.188:5228 [proto: 126/Google][10 pkts/660 bytes <-> 10 pkts/660 bytes] + 38 UDP 192.168.1.100:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][14 pkts/1148 bytes -> 0 pkts/0 bytes] + 39 TCP 192.168.1.103:58039 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][13 pkts/866 bytes <-> 4 pkts/280 bytes] + 40 TCP 192.168.1.103:58143 -> 216.58.205.131:443 [proto: 91.126/SSL.Google][3 pkts/1078 bytes -> 0 pkts/0 bytes] + 41 TCP 203.205.151.162:443 <-> 192.168.1.103:54084 [proto: 91.197/SSL.WeChat][3 pkts/802 bytes <-> 3 pkts/198 bytes] + 42 UDP 192.168.1.100:137 -> 192.168.1.255:137 [proto: 10/NetBIOS][9 pkts/828 bytes -> 0 pkts/0 bytes] + 43 IGMP 192.168.1.100:0 -> 224.0.0.22:0 [proto: 82/IGMP][15 pkts/810 bytes -> 0 pkts/0 bytes] + 44 UDP 192.168.1.100:138 -> 192.168.1.255:138 [proto: 10/NetBIOS][3 pkts/751 bytes -> 0 pkts/0 bytes] + 45 TCP 192.168.1.103:54114 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 4 pkts/280 bytes] + 46 TCP 192.168.1.103:54112 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 4 pkts/280 bytes] + 47 UDP 192.168.1.103:19041 <-> 192.168.1.254:53 [proto: 5.48/DNS.QQ][1 pkts/73 bytes <-> 1 pkts/537 bytes][Host: res.wx.qq.com] + 48 TCP 192.168.1.103:34996 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] + 49 TCP 192.168.1.103:39207 -> 95.101.34.34:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] + 50 TCP 192.168.1.103:39231 -> 95.101.34.34:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] + 51 TCP 192.168.1.103:34981 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] + 52 TCP 192.168.1.103:34999 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] + 53 TCP 192.168.1.103:35000 -> 95.101.34.33:80 [proto: 7/HTTP][9 pkts/594 bytes -> 0 pkts/0 bytes] + 54 TCP 192.168.1.103:53220 <-> 172.217.23.78:443 [proto: 91.126/SSL.Google][4 pkts/264 bytes <-> 4 pkts/319 bytes] + 55 TCP 192.168.1.103:54093 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 3 pkts/214 bytes] + 56 TCP 192.168.1.103:58037 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][5 pkts/338 bytes <-> 3 pkts/214 bytes] + 57 TCP 192.168.1.103:52020 -> 95.101.180.179:80 [proto: 7/HTTP][8 pkts/528 bytes -> 0 pkts/0 bytes] + 58 TCP 192.168.1.103:39195 -> 95.101.34.34:80 [proto: 7/HTTP][8 pkts/528 bytes -> 0 pkts/0 bytes] + 59 TCP 192.168.1.103:43851 <-> 203.205.158.34:443 [proto: 91/SSL][5 pkts/290 bytes <-> 4 pkts/234 bytes] + 60 TCP 192.168.1.103:47627 <-> 216.58.205.78:443 [proto: 91.126/SSL.Google][3 pkts/198 bytes <-> 4 pkts/319 bytes] + 61 TCP 192.168.1.103:40740 <-> 203.205.151.211:443 [proto: 91/SSL][4 pkts/216 bytes <-> 4 pkts/253 bytes] + 62 UDP 192.168.1.103:60356 <-> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/74 bytes <-> 1 pkts/391 bytes][Host: web.wechat.com] + 63 TCP 192.168.1.103:49787 <-> 216.58.205.142:443 [proto: 91.126/SSL.Google][3 pkts/198 bytes <-> 3 pkts/198 bytes] + 64 TCP 192.168.1.103:58226 -> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][6 pkts/396 bytes -> 0 pkts/0 bytes] + 65 UDP 192.168.1.103:53734 <-> 192.168.1.254:53 [proto: 5.124/DNS.YouTube][1 pkts/94 bytes <-> 1 pkts/272 bytes][Host: safebrowsing.googleusercontent.com] + 66 TCP 192.168.1.103:58043 <-> 203.205.147.171:443 [proto: 91.197/SSL.WeChat][3 pkts/206 bytes <-> 2 pkts/148 bytes] + 67 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][1 pkts/342 bytes -> 0 pkts/0 bytes][Host: iphonedimonica] + 68 UDP 192.168.1.103:60562 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/234 bytes][Host: ssl.gstatic.com] + 69 UDP 192.168.1.103:46078 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/234 bytes][Host: ssl.gstatic.com] + 70 UDP 192.168.1.103:55862 <-> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes <-> 1 pkts/227 bytes][Host: docs.google.com] + 71 TCP 192.168.1.103:40741 <-> 203.205.151.211:443 [proto: 91/SSL][2 pkts/108 bytes <-> 2 pkts/108 bytes] + 72 IGMP 192.168.1.103:0 -> 224.0.0.22:0 [proto: 82/IGMP][4 pkts/216 bytes -> 0 pkts/0 bytes] + 73 IGMP 192.168.1.254:0 -> 224.0.0.1:0 [proto: 82/IGMP][4 pkts/200 bytes -> 0 pkts/0 bytes] + 74 TCP 192.168.1.103:54085 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 75 UDP [fe80::91f9:3df3:7436:6cd6]:50440 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/180 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz] + 76 UDP [fe80::91f9:3df3:7436:6cd6]:49195 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: cansaqcq] + 77 UDP [fe80::91f9:3df3:7436:6cd6]:50577 -> [ff02::1:3]:5355 [proto: 154/LLMNR][2 pkts/176 bytes -> 0 pkts/0 bytes][Host: mcztmpkc] + 78 UDP 192.168.1.103:43705 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/172 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] + 79 UDP 192.168.1.103:42856 -> 192.168.1.254:53 [proto: 5/DNS][2 pkts/170 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org.lan] + 80 UDP 192.168.1.103:56367 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 81 UDP 192.168.1.103:45366 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][2 pkts/164 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 82 UDP 192.168.1.103:44063 -> 192.168.1.254:53 [proto: 5/DNS][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 1.debian.pool.ntp.org] + 83 UDP 192.168.1.103:41759 -> 192.168.1.254:53 [proto: 5/DNS][2 pkts/162 bytes -> 0 pkts/0 bytes][Host: 2.debian.pool.ntp.org] + 84 UDP 192.168.1.103:42074 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][2 pkts/158 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com.lan] + 85 UDP 192.168.1.100:54124 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/140 bytes -> 0 pkts/0 bytes][Host: lbjamwptxz] + 86 UDP 192.168.1.100:49832 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: cansaqcq] + 87 UDP 192.168.1.100:57401 -> 224.0.0.252:5355 [proto: 154/LLMNR][2 pkts/136 bytes -> 0 pkts/0 bytes][Host: mcztmpkc] + 88 TCP 192.168.1.103:54205 -> 64.233.167.188:443 [proto: 91.126/SSL.Google][2 pkts/132 bytes -> 0 pkts/0 bytes] + 89 ICMPV6 [fe80::842:a3f3:a286:6c5b]:0 -> [ff02::2]:0 [proto: 102/ICMPV6][2 pkts/132 bytes -> 0 pkts/0 bytes] + 90 TCP 192.168.1.103:54110 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 91 TCP 192.168.1.103:54106 -> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][2 pkts/132 bytes -> 0 pkts/0 bytes] + 92 TCP 192.168.1.103:54109 <-> 203.205.151.162:443 [proto: 91.197/SSL.WeChat][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 93 UDP 192.168.1.103:37578 -> 193.204.114.233:123 [proto: 9/NTP][1 pkts/90 bytes -> 0 pkts/0 bytes] + 94 ICMPV6 [::]:0 -> [ff02::1:ff86:6c5b]:0 [proto: 102/ICMPV6][1 pkts/86 bytes -> 0 pkts/0 bytes] + 95 UDP 192.168.1.103:53515 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] + 96 UDP 192.168.1.103:44346 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/86 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com.lan] + 97 UDP 192.168.1.103:33915 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 98 UDP 192.168.1.103:58165 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 99 UDP 192.168.1.103:43317 -> 192.168.1.254:53 [proto: 5.197/DNS.WeChat][1 pkts/82 bytes -> 0 pkts/0 bytes][Host: webpush.web.wechat.com] + 100 UDP 192.168.1.103:59567 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/79 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com.lan] + 101 UDP 192.168.1.103:42589 -> 192.168.1.254:53 [proto: 5.126/DNS.Google][1 pkts/75 bytes -> 0 pkts/0 bytes][Host: ssl.gstatic.com] + 102 IGMP 192.168.1.108:0 -> 224.0.0.22:0 [proto: 82/IGMP][1 pkts/54 bytes -> 0 pkts/0 bytes] Undetected flows: diff --git a/tests/result/weibo.pcap.out b/tests/result/weibo.pcap.out index 85674141e..9952d61a8 100644 --- a/tests/result/weibo.pcap.out +++ b/tests/result/weibo.pcap.out @@ -6,47 +6,47 @@ Amazon 2 132 1 QUIC 23 4118 2 Sina(Weibo) 418 258007 15 - 1 TCP 192.168.1.105:48352 -> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 2 TCP 192.168.1.105:48356 -> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 3 TCP 192.168.1.105:59120 <-> 114.134.80.162:80 [proto: 7/HTTP][2 pkts/128 bytes <-> 1 pkts/66 bytes] - 4 TCP 192.168.1.105:34699 <-> 216.58.212.65:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 5 TCP 192.168.1.105:42275 <-> 222.73.28.96:80 [proto: 7.200/HTTP.Sina(Weibo)][3 pkts/610 bytes <-> 1 pkts/66 bytes][Host: u1.img.mobile.sina.cn] - 6 UDP 192.168.1.105:50533 -> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/74 bytes -> 0 pkts/0 bytes][Host: data.weibo.com] - 7 UDP 192.168.1.105:53543 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/75 bytes <-> 1 pkts/191 bytes][Host: img.t.sinajs.cn] - 8 UDP 216.58.210.14:443 <-> 192.168.1.105:49361 [proto: 188/QUIC][5 pkts/963 bytes <-> 4 pkts/981 bytes] - 9 TCP 192.168.1.105:58481 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 10 UDP 192.168.1.105:7148 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/73 bytes <-> 1 pkts/142 bytes][Host: www.weibo.com] - 11 TCP 192.168.1.105:35803 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][52 pkts/5367 bytes <-> 54 pkts/71536 bytes][Host: img.t.sinajs.cn] - 12 TCP 192.168.1.105:35805 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][21 pkts/2323 bytes <-> 20 pkts/20922 bytes][Host: img.t.sinajs.cn] - 13 TCP 192.168.1.105:35807 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][27 pkts/2298 bytes <-> 26 pkts/34170 bytes][Host: img.t.sinajs.cn] - 14 TCP 192.168.1.105:35809 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][18 pkts/1681 bytes <-> 17 pkts/20680 bytes][Host: img.t.sinajs.cn] - 15 TCP 192.168.1.105:35811 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][3 pkts/604 bytes <-> 2 pkts/140 bytes][Host: js.t.sinajs.cn] - 16 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/SSL][3 pkts/382 bytes <-> 1 pkts/66 bytes][client: g.alicdn.com] - 17 TCP 192.168.1.105:50831 <-> 47.89.65.229:443 [proto: 91/SSL][2 pkts/128 bytes <-> 1 pkts/66 bytes] - 18 TCP 192.168.1.105:52272 -> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 19 TCP 192.168.1.105:52274 -> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 20 UDP 192.168.1.105:11798 -> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/77 bytes -> 0 pkts/0 bytes][Host: account.weibo.com] - 21 UDP 192.168.1.105:16804 -> 192.168.1.1:53 [proto: 5/DNS][1 pkts/70 bytes -> 0 pkts/0 bytes][Host: c.weibo.cn] - 22 TCP 192.168.1.105:47721 -> 140.205.170.63:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 23 TCP 192.168.1.105:47723 -> 140.205.170.63:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 24 TCP 192.168.1.105:48353 -> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 25 UDP 192.168.1.105:33822 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/76 bytes <-> 1 pkts/166 bytes][Host: login.taobao.com] - 26 TCP 192.168.1.105:59119 <-> 114.134.80.162:80 [proto: 7/HTTP][5 pkts/736 bytes <-> 4 pkts/863 bytes][Host: weibo.com] - 27 TCP 192.168.1.105:59121 <-> 114.134.80.162:80 [proto: 7/HTTP][2 pkts/128 bytes <-> 1 pkts/66 bytes] - 28 TCP 192.168.1.105:35154 <-> 216.58.210.206:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 29 TCP 192.168.1.105:37802 <-> 216.58.212.69:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 30 UDP 192.168.1.105:41352 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/74 bytes <-> 1 pkts/190 bytes][Host: js.t.sinajs.cn] - 31 TCP 192.168.1.105:42280 -> 222.73.28.96:80 [proto: 7/HTTP][1 pkts/74 bytes -> 0 pkts/0 bytes] - 32 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/77 bytes <-> 1 pkts/157 bytes][Host: acjstb.aliyun.com] - 33 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/72 bytes <-> 1 pkts/171 bytes][Host: g.alicdn.com] - 34 UDP 192.168.1.105:53466 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/74 bytes <-> 1 pkts/112 bytes][Host: log.mmstat.com] - 35 UDP 192.168.1.105:54988 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/69 bytes <-> 1 pkts/85 bytes][Host: weibo.com] - 36 UDP 192.168.1.105:53656 <-> 216.58.210.227:443 [proto: 188/QUIC][8 pkts/1301 bytes <-> 6 pkts/873 bytes] - 37 TCP 192.168.1.105:58480 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 38 TCP 192.168.1.105:40440 <-> 54.225.163.210:443 [proto: 91.178/SSL.Amazon][1 pkts/66 bytes <-> 1 pkts/66 bytes] - 39 TCP 192.168.1.105:35804 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][32 pkts/3624 bytes <-> 40 pkts/50657 bytes][Host: img.t.sinajs.cn] - 40 TCP 192.168.1.105:35806 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][7 pkts/946 bytes <-> 6 pkts/3755 bytes][Host: img.t.sinajs.cn] - 41 TCP 192.168.1.105:35808 <-> 93.188.134.246:80 [proto: 7/HTTP][2 pkts/140 bytes <-> 1 pkts/74 bytes] - 42 TCP 192.168.1.105:52271 -> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] - 43 UDP 192.168.1.105:18035 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/81 bytes <-> 1 pkts/159 bytes][Host: u1.img.mobile.sina.cn] - 44 TCP 192.168.1.105:51698 <-> 93.188.134.137:80 [proto: 7.200/HTTP.Sina(Weibo)][40 pkts/3462 bytes <-> 39 pkts/34030 bytes][Host: www.weibo.com] + 1 TCP 192.168.1.105:35803 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][52 pkts/5367 bytes <-> 54 pkts/71536 bytes][Host: img.t.sinajs.cn] + 2 TCP 192.168.1.105:35804 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][32 pkts/3624 bytes <-> 40 pkts/50657 bytes][Host: img.t.sinajs.cn] + 3 TCP 192.168.1.105:51698 <-> 93.188.134.137:80 [proto: 7.200/HTTP.Sina(Weibo)][40 pkts/3462 bytes <-> 39 pkts/34030 bytes][Host: www.weibo.com] + 4 TCP 192.168.1.105:35807 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][27 pkts/2298 bytes <-> 26 pkts/34170 bytes][Host: img.t.sinajs.cn] + 5 TCP 192.168.1.105:35805 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][21 pkts/2323 bytes <-> 20 pkts/20922 bytes][Host: img.t.sinajs.cn] + 6 TCP 192.168.1.105:35809 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][18 pkts/1681 bytes <-> 17 pkts/20680 bytes][Host: img.t.sinajs.cn] + 7 TCP 192.168.1.105:35806 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][7 pkts/946 bytes <-> 6 pkts/3755 bytes][Host: img.t.sinajs.cn] + 8 UDP 192.168.1.105:53656 <-> 216.58.210.227:443 [proto: 188/QUIC][8 pkts/1301 bytes <-> 6 pkts/873 bytes] + 9 UDP 216.58.210.14:443 <-> 192.168.1.105:49361 [proto: 188/QUIC][5 pkts/963 bytes <-> 4 pkts/981 bytes] + 10 TCP 192.168.1.105:59119 <-> 114.134.80.162:80 [proto: 7/HTTP][5 pkts/736 bytes <-> 4 pkts/863 bytes][Host: weibo.com] + 11 TCP 192.168.1.105:35811 <-> 93.188.134.246:80 [proto: 7.200/HTTP.Sina(Weibo)][3 pkts/604 bytes <-> 2 pkts/140 bytes][Host: js.t.sinajs.cn] + 12 TCP 192.168.1.105:42275 <-> 222.73.28.96:80 [proto: 7.200/HTTP.Sina(Weibo)][3 pkts/610 bytes <-> 1 pkts/66 bytes][Host: u1.img.mobile.sina.cn] + 13 TCP 192.168.1.105:50827 <-> 47.89.65.229:443 [proto: 91/SSL][3 pkts/382 bytes <-> 1 pkts/66 bytes][client: g.alicdn.com] + 14 UDP 192.168.1.105:53543 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/75 bytes <-> 1 pkts/191 bytes][Host: img.t.sinajs.cn] + 15 UDP 192.168.1.105:41352 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/74 bytes <-> 1 pkts/190 bytes][Host: js.t.sinajs.cn] + 16 UDP 192.168.1.105:51440 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/72 bytes <-> 1 pkts/171 bytes][Host: g.alicdn.com] + 17 UDP 192.168.1.105:33822 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/76 bytes <-> 1 pkts/166 bytes][Host: login.taobao.com] + 18 UDP 192.168.1.105:18035 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/81 bytes <-> 1 pkts/159 bytes][Host: u1.img.mobile.sina.cn] + 19 UDP 192.168.1.105:50640 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/77 bytes <-> 1 pkts/157 bytes][Host: acjstb.aliyun.com] + 20 UDP 192.168.1.105:7148 <-> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/73 bytes <-> 1 pkts/142 bytes][Host: www.weibo.com] + 21 TCP 192.168.1.105:35808 <-> 93.188.134.246:80 [proto: 7/HTTP][2 pkts/140 bytes <-> 1 pkts/74 bytes] + 22 TCP 192.168.1.105:50831 <-> 47.89.65.229:443 [proto: 91/SSL][2 pkts/128 bytes <-> 1 pkts/66 bytes] + 23 TCP 192.168.1.105:59120 <-> 114.134.80.162:80 [proto: 7/HTTP][2 pkts/128 bytes <-> 1 pkts/66 bytes] + 24 TCP 192.168.1.105:59121 <-> 114.134.80.162:80 [proto: 7/HTTP][2 pkts/128 bytes <-> 1 pkts/66 bytes] + 25 UDP 192.168.1.105:53466 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/74 bytes <-> 1 pkts/112 bytes][Host: log.mmstat.com] + 26 UDP 192.168.1.105:54988 <-> 192.168.1.1:53 [proto: 5/DNS][1 pkts/69 bytes <-> 1 pkts/85 bytes][Host: weibo.com] + 27 TCP 192.168.1.105:37802 <-> 216.58.212.69:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 28 TCP 192.168.1.105:40440 <-> 54.225.163.210:443 [proto: 91.178/SSL.Amazon][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 29 TCP 192.168.1.105:35154 <-> 216.58.210.206:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 30 TCP 192.168.1.105:58481 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 31 TCP 192.168.1.105:58480 <-> 216.58.214.78:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 32 TCP 192.168.1.105:34699 <-> 216.58.212.65:443 [proto: 91.126/SSL.Google][1 pkts/66 bytes <-> 1 pkts/66 bytes] + 33 UDP 192.168.1.105:11798 -> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/77 bytes -> 0 pkts/0 bytes][Host: account.weibo.com] + 34 TCP 192.168.1.105:42280 -> 222.73.28.96:80 [proto: 7/HTTP][1 pkts/74 bytes -> 0 pkts/0 bytes] + 35 TCP 192.168.1.105:47721 -> 140.205.170.63:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 36 TCP 192.168.1.105:47723 -> 140.205.170.63:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 37 TCP 192.168.1.105:52271 -> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 38 TCP 192.168.1.105:48356 -> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 39 UDP 192.168.1.105:50533 -> 192.168.1.1:53 [proto: 5.200/DNS.Sina(Weibo)][1 pkts/74 bytes -> 0 pkts/0 bytes][Host: data.weibo.com] + 40 TCP 192.168.1.105:52274 -> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 41 TCP 192.168.1.105:52272 -> 42.156.184.19:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 42 TCP 192.168.1.105:48353 -> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 43 TCP 192.168.1.105:48352 -> 140.205.174.1:443 [proto: 91/SSL][1 pkts/74 bytes -> 0 pkts/0 bytes] + 44 UDP 192.168.1.105:16804 -> 192.168.1.1:53 [proto: 5/DNS][1 pkts/70 bytes -> 0 pkts/0 bytes][Host: c.weibo.cn] diff --git a/tests/result/whatsapp_login_call.pcap.out b/tests/result/whatsapp_login_call.pcap.out index 6105015fc..d5d1e6eb6 100644 --- a/tests/result/whatsapp_login_call.pcap.out +++ b/tests/result/whatsapp_login_call.pcap.out @@ -12,60 +12,60 @@ Spotify 3 258 1 WhatsAppVoice 706 91156 4 AppleStore 85 28087 2 - 1 UDP [fe80::da30:62ff:fe56:1c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes -> 0 pkts/0 bytes] - 2 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][4 pkts/2176 bytes -> 0 pkts/0 bytes] - 3 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][10 pkts/700 bytes -> 0 pkts/0 bytes] - 4 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 189/WhatsAppVoice][141 pkts/17530 bytes <-> 57 pkts/12888 bytes] - 5 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 6 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: query.ess.apple.com] - 7 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 8 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78/STUN][15 pkts/1290 bytes -> 0 pkts/0 bytes] - 9 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 10 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 11 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 12 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 13 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 14 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 15 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.224/SSL.AppleStore][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][client: p53-buy.itunes.apple.com] - 16 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/SSL][3 pkts/174 bytes <-> 2 pkts/217 bytes] - 17 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 18 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 19 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 20 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 21 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 22 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 23 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 24 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 189/WhatsAppVoice][12 pkts/2341 bytes <-> 12 pkts/2484 bytes] - 25 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 26 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 27 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 28 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 29 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 189/WhatsAppVoice][9 pkts/1842 bytes <-> 11 pkts/1151 bytes] - 30 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 31 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 32 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/SSL][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 33 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][10 pkts/3420 bytes -> 0 pkts/0 bytes][Host: lucas-imac] - 34 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][186 pkts/27025 bytes <-> 278 pkts/25895 bytes] - 35 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][100 pkts/14711 bytes <-> 80 pkts/10163 bytes] - 36 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][3 pkts/258 bytes -> 0 pkts/0 bytes] - 37 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][1 pkts/76 bytes <-> 1 pkts/204 bytes][Host: e13.whatsapp.net] - 38 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78/STUN][12 pkts/1032 bytes -> 0 pkts/0 bytes] + 1 UDP 192.168.2.4:51518 <-> 91.253.176.65:9344 [proto: 189/WhatsAppVoice][186 pkts/27025 bytes <-> 278 pkts/25895 bytes] + 2 UDP 192.168.2.4:52794 <-> 91.253.176.65:9665 [proto: 189/WhatsAppVoice][141 pkts/17530 bytes <-> 57 pkts/12888 bytes] + 3 TCP 192.168.2.4:49202 <-> 184.173.179.37:5222 [proto: 142/WhatsApp][100 pkts/14711 bytes <-> 80 pkts/10163 bytes] + 4 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.224/SSL.AppleStore][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][client: p53-buy.itunes.apple.com] + 5 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][client: query.ess.apple.com][server: *.ess.apple.com] + 6 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.224/SSL.AppleStore][17 pkts/6166 bytes <-> 15 pkts/3539 bytes][client: p53-buy.itunes.apple.com] + 7 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 140/Apple][11 pkts/4732 bytes <-> 11 pkts/1194 bytes] + 8 UDP 192.168.2.4:51518 <-> 31.13.93.48:3478 [proto: 189/WhatsAppVoice][12 pkts/2341 bytes <-> 12 pkts/2484 bytes] + 9 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][10 pkts/3420 bytes -> 0 pkts/0 bytes][Host: lucas-imac] + 10 UDP 192.168.2.4:52794 <-> 31.13.84.48:3478 [proto: 189/WhatsAppVoice][9 pkts/1842 bytes <-> 11 pkts/1151 bytes] + 11 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][4 pkts/2176 bytes -> 0 pkts/0 bytes] + 12 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][9 pkts/1130 bytes <-> 8 pkts/868 bytes] + 13 UDP 192.168.2.4:51518 -> 1.194.90.191:60312 [proto: 78/STUN][15 pkts/1290 bytes -> 0 pkts/0 bytes] + 14 UDP 192.168.2.4:52794 -> 1.194.90.191:51727 [proto: 78/STUN][12 pkts/1032 bytes -> 0 pkts/0 bytes] + 15 ICMP 192.168.2.4:0 -> 91.253.176.65:0 [proto: 81/ICMP][10 pkts/700 bytes -> 0 pkts/0 bytes] + 16 UDP 192.168.2.4:52794 <-> 31.13.79.192:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 17 UDP 192.168.2.4:52794 <-> 179.60.192.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 18 UDP 192.168.2.4:52794 <-> 173.252.114.1:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 19 UDP 192.168.2.4:51518 <-> 31.13.79.192:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 20 UDP 192.168.2.4:51518 <-> 31.13.100.14:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 21 UDP 192.168.2.4:52794 <-> 31.13.74.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 22 UDP 192.168.2.4:51518 <-> 31.13.73.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 23 UDP 192.168.2.4:52794 <-> 31.13.90.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 24 UDP 192.168.2.4:52794 <-> 31.13.73.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 25 UDP 192.168.2.4:52794 <-> 31.13.93.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 26 UDP 192.168.2.4:51518 <-> 31.13.70.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 27 UDP 192.168.2.4:51518 <-> 31.13.64.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 28 UDP 192.168.2.4:51518 <-> 31.13.85.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 29 UDP 192.168.2.4:51518 <-> 31.13.91.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 30 TCP 192.168.2.4:49172 <-> 23.50.148.228:443 [proto: 91/SSL][3 pkts/174 bytes <-> 2 pkts/217 bytes] + 31 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][3 pkts/198 bytes <-> 2 pkts/132 bytes] + 32 UDP 192.168.2.4:51897 <-> 192.168.2.1:53 [proto: 5.140/DNS.Apple][1 pkts/79 bytes <-> 1 pkts/251 bytes][Host: query.ess.apple.com] + 33 UDP 192.168.2.4:52190 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][1 pkts/76 bytes <-> 1 pkts/204 bytes][Host: e13.whatsapp.net] + 34 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][3 pkts/258 bytes -> 0 pkts/0 bytes] + 35 UDP [fe80::da30:62ff:fe56:1c]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes -> 0 pkts/0 bytes] + 36 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes -> 0 pkts/0 bytes] + 37 UDP 169.254.166.207:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes -> 0 pkts/0 bytes] + 38 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes -> 0 pkts/0 bytes] 39 TCP 192.168.2.4:49174 <-> 5.178.42.26:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] - 40 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 41 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 42 TCP 192.168.2.4:49201 <-> 17.178.104.12:443 [proto: 91.140/SSL.Apple][21 pkts/7644 bytes <-> 17 pkts/9576 bytes][client: query.ess.apple.com][server: *.ess.apple.com] - 43 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 44 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/SSL.Apple][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 40 TCP 192.168.2.4:49203 <-> 17.178.104.14:443 [proto: 91.140/SSL.Apple][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 41 TCP 192.168.2.4:49173 <-> 93.186.135.82:80 [proto: 7/HTTP][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 42 TCP 192.168.2.4:49194 <-> 93.62.150.157:443 [proto: 91/SSL][2 pkts/132 bytes <-> 1 pkts/66 bytes] + 43 TCP 192.168.2.4:49182 <-> 17.172.100.52:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 44 TCP 192.168.2.4:49167 <-> 17.172.100.8:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] 45 TCP 192.168.2.4:49198 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] 46 TCP 192.168.2.4:49200 <-> 17.167.142.13:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] 47 TCP 192.168.2.4:49191 <-> 17.172.100.49:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] 48 TCP 192.168.2.4:49181 <-> 17.172.100.37:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] 49 TCP 192.168.2.4:49164 <-> 17.167.142.31:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 50 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] - 51 TCP 192.168.2.4:49204 <-> 17.173.66.102:443 [proto: 91.224/SSL.AppleStore][29 pkts/11770 bytes <-> 24 pkts/6612 bytes][client: p53-buy.itunes.apple.com] - 52 TCP 192.168.2.4:49199 <-> 17.172.100.70:993 [proto: 51.140/IMAPS.Apple][9 pkts/1130 bytes <-> 8 pkts/868 bytes] - 53 TCP 192.168.2.4:49193 <-> 17.110.229.14:5223 [proto: 140/Apple][11 pkts/4732 bytes <-> 11 pkts/1194 bytes] - 54 UDP 169.254.166.207:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes -> 0 pkts/0 bytes] - 55 UDP 192.168.2.1:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][2 pkts/218 bytes -> 0 pkts/0 bytes] - 56 TCP 192.168.2.4:49192 <-> 93.186.135.8:80 [proto: 7/HTTP][3 pkts/198 bytes <-> 2 pkts/132 bytes] - 57 UDP [fe80::c42c:3ff:fe60:6a64]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][2 pkts/258 bytes -> 0 pkts/0 bytes] + 50 TCP 192.168.2.4:49176 <-> 17.130.137.77:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 51 TCP 192.168.2.4:49169 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 52 TCP 192.168.2.4:49166 <-> 17.154.66.121:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 53 TCP 192.168.2.4:49175 <-> 17.172.100.53:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 54 TCP 192.168.2.4:49180 <-> 17.172.100.59:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 55 TCP 192.168.2.4:49163 <-> 17.154.66.111:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 56 TCP 192.168.2.4:49165 <-> 17.172.100.55:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] + 57 TCP 192.168.2.4:49197 <-> 17.167.142.39:443 [proto: 91.140/SSL.Apple][2 pkts/108 bytes <-> 1 pkts/54 bytes] diff --git a/tests/result/whatsapp_login_chat.pcap.out b/tests/result/whatsapp_login_chat.pcap.out index 14bacb23f..f94954c5f 100644 --- a/tests/result/whatsapp_login_chat.pcap.out +++ b/tests/result/whatsapp_login_chat.pcap.out @@ -5,12 +5,12 @@ Apple 50 23466 2 WhatsApp 32 3243 2 Spotify 1 86 1 - 1 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] - 2 UDP [fe80::189c:c31b:1298:224]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][1 pkts/111 bytes -> 0 pkts/0 bytes] - 3 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][1 pkts/76 bytes <-> 1 pkts/204 bytes][Host: e12.whatsapp.net] - 4 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][24 pkts/15117 bytes <-> 20 pkts/6254 bytes] - 5 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][6 pkts/2052 bytes -> 0 pkts/0 bytes][Host: lucas-imac] - 6 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][17 pkts/1794 bytes <-> 13 pkts/1169 bytes] - 7 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][1 pkts/86 bytes -> 0 pkts/0 bytes] - 8 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 140/Apple][6 pkts/2095 bytes -> 0 pkts/0 bytes] - 9 UDP 192.168.2.4:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/91 bytes -> 0 pkts/0 bytes] + 1 TCP 192.168.2.4:49205 <-> 17.173.66.102:443 [proto: 91.140/SSL.Apple][24 pkts/15117 bytes <-> 20 pkts/6254 bytes] + 2 TCP 192.168.2.4:49206 <-> 158.85.58.15:5222 [proto: 142/WhatsApp][17 pkts/1794 bytes <-> 13 pkts/1169 bytes] + 3 TCP 17.110.229.14:5223 -> 192.168.2.4:49193 [proto: 140/Apple][6 pkts/2095 bytes -> 0 pkts/0 bytes] + 4 UDP 0.0.0.0:68 -> 255.255.255.255:67 [proto: 18/DHCP][6 pkts/2052 bytes -> 0 pkts/0 bytes][Host: lucas-imac] + 5 UDP 192.168.2.1:17500 -> 192.168.2.255:17500 [proto: 121/Dropbox][2 pkts/1088 bytes -> 0 pkts/0 bytes] + 6 UDP 192.168.2.4:61697 <-> 192.168.2.1:53 [proto: 5.142/DNS.WhatsApp][1 pkts/76 bytes <-> 1 pkts/204 bytes][Host: e12.whatsapp.net] + 7 UDP [fe80::189c:c31b:1298:224]:5353 -> [ff02::fb]:5353 [proto: 8/MDNS][1 pkts/111 bytes -> 0 pkts/0 bytes] + 8 UDP 192.168.2.4:5353 -> 224.0.0.251:5353 [proto: 8/MDNS][1 pkts/91 bytes -> 0 pkts/0 bytes] + 9 UDP 192.168.2.1:57621 -> 192.168.2.255:57621 [proto: 156/Spotify][1 pkts/86 bytes -> 0 pkts/0 bytes] diff --git a/tests/result/whatsapp_voice_and_message.pcap.out b/tests/result/whatsapp_voice_and_message.pcap.out index d417addc0..e368d33d9 100644 --- a/tests/result/whatsapp_voice_and_message.pcap.out +++ b/tests/result/whatsapp_voice_and_message.pcap.out @@ -1,16 +1,16 @@ Facebook 44 5916 8 WhatsApp 217 22139 5 - 1 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 2 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 3 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 4 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.119/STUN.Facebook][5 pkts/840 bytes <-> 4 pkts/344 bytes] - 5 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 6 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 7 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][30 pkts/2539 bytes <-> 32 pkts/3070 bytes] - 8 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][24 pkts/3029 bytes <-> 22 pkts/1961 bytes] - 9 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][15 pkts/2690 bytes <-> 15 pkts/2019 bytes] - 10 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][14 pkts/1123 bytes <-> 13 pkts/1097 bytes] - 11 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][26 pkts/2311 bytes <-> 26 pkts/2300 bytes] - 12 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] - 13 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 1 TCP 10.8.0.1:42241 <-> 173.192.222.189:5222 [proto: 142/WhatsApp][30 pkts/2539 bytes <-> 32 pkts/3070 bytes] + 2 TCP 10.8.0.1:35480 <-> 184.173.179.46:443 [proto: 142/WhatsApp][24 pkts/3029 bytes <-> 22 pkts/1961 bytes] + 3 TCP 10.8.0.1:44819 <-> 158.85.58.42:5222 [proto: 142/WhatsApp][15 pkts/2690 bytes <-> 15 pkts/2019 bytes] + 4 TCP 10.8.0.1:49721 <-> 158.85.58.109:5222 [proto: 142/WhatsApp][26 pkts/2311 bytes <-> 26 pkts/2300 bytes] + 5 TCP 10.8.0.1:51570 <-> 158.85.5.199:443 [proto: 142/WhatsApp][14 pkts/1123 bytes <-> 13 pkts/1097 bytes] + 6 UDP 10.8.0.1:53620 <-> 31.13.73.48:3478 [proto: 78.119/STUN.Facebook][5 pkts/840 bytes <-> 4 pkts/344 bytes] + 7 UDP 10.8.0.1:53620 <-> 173.252.121.1:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 8 UDP 10.8.0.1:53620 <-> 31.13.79.192:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 9 UDP 10.8.0.1:53620 <-> 31.13.64.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 10 UDP 10.8.0.1:53620 <-> 179.60.192.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 11 UDP 10.8.0.1:53620 <-> 31.13.74.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 12 UDP 10.8.0.1:53620 <-> 31.13.93.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] + 13 UDP 10.8.0.1:53620 <-> 31.13.84.48:3478 [proto: 78.119/STUN.Facebook][3 pkts/504 bytes <-> 2 pkts/172 bytes] diff --git a/tests/result/youtube_quic.pcap.out b/tests/result/youtube_quic.pcap.out index 7c0bc9e80..e5a53ae38 100644 --- a/tests/result/youtube_quic.pcap.out +++ b/tests/result/youtube_quic.pcap.out @@ -1,6 +1,6 @@ YouTube 258 178495 1 Google 31 13144 2 - 1 UDP 192.168.1.7:53859 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][9 pkts/3929 bytes <-> 9 pkts/4736 bytes][Host: googleads.g.doubleclick.net] - 2 UDP 192.168.1.7:54997 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][7 pkts/2312 bytes <-> 6 pkts/2167 bytes][Host: pagead2.googlesyndication.com] - 3 UDP 192.168.1.7:56074 <-> 216.58.198.33:443 [proto: 188.124/QUIC.YouTube][113 pkts/16111 bytes <-> 145 pkts/162384 bytes][Host: yt3.ggpht.com] + 1 UDP 192.168.1.7:56074 <-> 216.58.198.33:443 [proto: 188.124/QUIC.YouTube][113 pkts/16111 bytes <-> 145 pkts/162384 bytes][Host: yt3.ggpht.com] + 2 UDP 192.168.1.7:53859 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][9 pkts/3929 bytes <-> 9 pkts/4736 bytes][Host: googleads.g.doubleclick.net] + 3 UDP 192.168.1.7:54997 <-> 216.58.205.66:443 [proto: 188.126/QUIC.Google][7 pkts/2312 bytes <-> 6 pkts/2167 bytes][Host: pagead2.googlesyndication.com] -- cgit v1.2.3 From f575959cd2ccfda1c1375624cec80e1c9a92f5b0 Mon Sep 17 00:00:00 2001 From: berat Date: Fri, 22 Sep 2017 19:00:27 +0200 Subject: typos and renames --- example/ndpiReader.c | 30 +++++++++++++++--------------- example/ndpi_util.h | 4 ++-- 2 files changed, 17 insertions(+), 17 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 9def14de1..218f251c3 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -1502,7 +1502,7 @@ static void saveScannerStats(json_object **jObj_group, struct single_flow_info * if(j >= 10) break; } - json_object_object_add(jObj_stat,"top.ports",jArray_ports); + json_object_object_add(jObj_stat,"top.dst.ports",jArray_ports); json_object_array_add(jArray_stats, jObj_stat); j = 0; @@ -1510,7 +1510,7 @@ static void saveScannerStats(json_object **jObj_group, struct single_flow_info * if(i >= 10) break; } - json_object_object_add(*jObj_group, "scanner.stats", jArray_stats); + json_object_object_add(*jObj_group, "top.scanner.stats", jArray_stats); } @@ -1545,8 +1545,8 @@ static void saveTopStats(json_object **jObj_group, json_object_new_double(((double)s->num_flows)/s->num_pkts)); else json_object_object_add(jObj_stat,"flows.num_packets",json_object_new_double(0.0)); - json_object_object_add(jObj_stat,"aggressive.ip",json_object_new_string(s->top_ip)); - json_object_object_add(jObj_stat,"protocol",json_object_new_string(s->proto)); + json_object_object_add(jObj_stat,"aggressive.host",json_object_new_string(s->top_ip)); + json_object_object_add(jObj_stat,"host.app.protocol",json_object_new_string(s->proto)); json_object_array_add(jArray_stats, jObj_stat); i++; @@ -1569,8 +1569,8 @@ static void saveTopStats(json_object **jObj_group, json_object *jObj_stat = json_object_new_object(); json_object_object_add(jObj_stat,"port",json_object_new_int(s->port)); - json_object_object_add(jObj_stat,"ip.total",json_object_new_int64(s->num_addr)); - json_object_object_add(jObj_stat,"ip.percent",json_object_new_double((s->num_addr*100.0)/total_ip_addr)); + json_object_object_add(jObj_stat,"host.number",json_object_new_int64(s->num_addr)); + json_object_object_add(jObj_stat,"host.percent",json_object_new_double((s->num_addr*100.0)/total_ip_addr)); json_object_object_add(jObj_stat,"flows.number",json_object_new_double(s->num_flows)); json_object_array_add(jArray_stats,jObj_stat); @@ -1580,7 +1580,7 @@ static void saveTopStats(json_object **jObj_group, } json_object_object_add(*jObj_group, (direction == DIR_SRC) ? - "top.src.ip.stats" : "top.dst.ip.stats", jArray_stats); + "top.src.host.stats" : "top.dst.host.stats", jArray_stats); } #endif @@ -2500,7 +2500,7 @@ void bpf_filter_port_array_add(int filter_array[], int size, int port) { /* *********************************************** */ /* - * @brief add ports which have (flows/packets > treshold) + * @brief add ports which have (flows/packets > threshold) * and have (#flows > %1 of total flows) to the srcPortArray * to filter */ @@ -2529,7 +2529,7 @@ void getPacketBasedSourcePortsToFilter(struct json_object *jObj_stat, int srcPor double flows_packets = json_object_get_double(jObj_flows_packets); - if((flows_packets > FLOWS_PACKETS_TRESHOLD) && (flows_percent >= FLOWS_PERCENT_TRESHOLD)) { + if((flows_packets > FLOWS_PACKETS_THRESHOLD) && (flows_percent >= FLOWS_PERCENT_THRESHOLD)) { if((res = json_object_object_get_ex(src_pkts_stat, "port", &jObj_port)) == 0) { fprintf(stderr, "ERROR: can't get \"port\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); @@ -2602,8 +2602,8 @@ void getTopReceiverHostsToFilter(struct json_object *jObj_stat, int duration, co if(flows_percent > 0.2) { - if((res = json_object_object_get_ex(scanner_stat, "aggressive.ip", &jObj_host_address)) == 0) { - fprintf(stderr, "ERROR: can't get \"aggressive.ip\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + if((res = json_object_object_get_ex(scanner_stat, "aggressive.host", &jObj_host_address)) == 0) { + fprintf(stderr, "ERROR: can't get \"aggressive.host\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } const char *host_address = json_object_get_string(jObj_host_address); @@ -2719,8 +2719,8 @@ static void produceBpfFilter(char *filePath) { json_object *stats = json_object_array_get_idx(jObj_statistics, i); json_object *val; - if((res = json_object_object_get_ex(stats, "scanner.stats", &val)) == 0) { - fprintf(stderr,"ERROR: can't get \"scanner.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + if((res = json_object_object_get_ex(stats, "top.scanner.stats", &val)) == 0) { + fprintf(stderr,"ERROR: can't get \"top.scanner.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } getScannerHostsToFilter(val, duration, filterSrcHosts, HOST_ARRAY_SIZE); @@ -2733,8 +2733,8 @@ static void produceBpfFilter(char *filePath) { getPacketBasedSourcePortsToFilter(val, filterSrcPorts, PORT_ARRAY_SIZE); - if((res = json_object_object_get_ex(stats, "top.src.ip.stats", &val)) == 0) { - fprintf(stderr,"ERROR: can't get \"top.src.ip.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + if((res = json_object_object_get_ex(stats, "top.src.host.stats", &val)) == 0) { + fprintf(stderr,"ERROR: can't get \"top.src.host.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } getHostBasedSourcePortsToFilter(val, duration, filterSrcPorts, PORT_ARRAY_SIZE); diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 5fe3dc66b..fd4c4b84d 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -46,8 +46,8 @@ #define DIR_DST 20 #define PORT_ARRAY_SIZE 20 #define HOST_ARRAY_SIZE 20 -#define FLOWS_PACKETS_TRESHOLD 0.9 -#define FLOWS_PERCENT_TRESHOLD 1.0 +#define FLOWS_PACKETS_THRESHOLD 0.9 +#define FLOWS_PERCENT_THRESHOLD 1.0 #define INIT_VAL -1 // flow tracking -- cgit v1.2.3 From b0f3852fed9273f530753573ca1bde9d714ae988 Mon Sep 17 00:00:00 2001 From: berat Date: Mon, 25 Sep 2017 11:06:47 +0200 Subject: improved (-x flag) bpf filter condition --- example/ndpiReader.c | 88 +++++++++++++++++++++++++++++++++++++++++++--------- example/ndpi_util.h | 1 + 2 files changed, 74 insertions(+), 15 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 4b2caba0a..f1cb40c75 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -2375,12 +2375,6 @@ void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string(filter)); else json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string("")); - - /*if(produced) - fprintf(fp,"%s\n",filter); - else - fprintf(fp,"");*/ - } #endif @@ -2490,6 +2484,62 @@ void bpf_filter_port_array_add(int filter_array[], int size, int port) { } +/* *********************************************** */ +float getAverage(struct json_object *jObj_stat, char *field){ + json_object *field_stat; + json_bool res; + float average; + float sum = 0; + int r; + int j; + + if((r = strcmp(field, "top.scanner.stats")) == 0){ + for(j=0; j 1000) { + if(((tot_flows_number/duration) > FLOWS_THRESHOLD) && tot_flows_number > threshold) { if((res = json_object_object_get_ex(scanner_stat, "ip.address", &jObj_host_address)) == 0) { fprintf(stderr, "ERROR: can't get \"ip.address\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); @@ -2647,16 +2699,18 @@ void getHostBasedSourcePortsToFilter(struct json_object *jObj_stat, int duration #ifdef HAVE_JSON_C static void produceBpfFilter(char *filePath) { - int fsock; - struct stat statbuf; - void *fmap; - int filterSrcPorts[PORT_ARRAY_SIZE]; /* ports to filter */ - const char *filterSrcHosts[48]; /* hosts to filter */ - const char *filterDstHosts[48]; /* hosts to filter */ json_object *jObj; /* entire json object from file */ json_object *jObj_duration; json_object *jObj_statistics; /* json array */ json_bool res; + int filterSrcPorts[PORT_ARRAY_SIZE]; + const char *filterSrcHosts[48]; + const char *filterDstHosts[48]; + struct stat statbuf; + void *fmap; + int fsock; + float average; + float deviation; int duration; int typeCheck; int array_len; @@ -2716,7 +2770,11 @@ static void produceBpfFilter(char *filePath) { fprintf(stderr,"ERROR: can't get \"top.scanner.stats\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } - getScannerHostsToFilter(val, duration, filterSrcHosts, HOST_ARRAY_SIZE); + + if((average = getAverage(val, "top.scanner.stats")) != 0){ + deviation = getStdDeviation(val, average, "top.scanner.stats"); + getScannerHostsToFilter(val, duration, filterSrcHosts, HOST_ARRAY_SIZE, average+deviation); + } if((res = json_object_object_get_ex(stats, "top.src.pkts.stats", &val)) == 0) { diff --git a/example/ndpi_util.h b/example/ndpi_util.h index fd4c4b84d..eb54ac9fb 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -48,6 +48,7 @@ #define HOST_ARRAY_SIZE 20 #define FLOWS_PACKETS_THRESHOLD 0.9 #define FLOWS_PERCENT_THRESHOLD 1.0 +#define FLOWS_THRESHOLD 1000 #define INIT_VAL -1 // flow tracking -- cgit v1.2.3 From 98d1c762cdcf0f0426de513039d844589d878609 Mon Sep 17 00:00:00 2001 From: berat Date: Mon, 9 Oct 2017 22:21:40 +0200 Subject: extended (-b flag) statistics with top receiver stats --- example/ndpiReader.c | 440 +++++++++++++++++++++++++++++++++++++++++---------- example/ndpi_util.h | 4 + 2 files changed, 361 insertions(+), 83 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 29f3f71b6..422e1a9dd 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -145,7 +145,7 @@ struct port_flow_info { UT_hash_handle hh; }; -// struct to hold single packet tcp flows send by source ip address +// struct to hold single packet tcp flows sent by source ip address struct single_flow_info { u_int32_t saddr; /* key */ u_int8_t version; /* IP version */ @@ -156,6 +156,17 @@ struct single_flow_info { struct single_flow_info *scannerHosts = NULL; +// struct to hold top receiver hosts +struct receiver { + u_int32_t addr; /* key */ + u_int8_t version; /* IP version */ + u_int32_t num_pkts; + UT_hash_handle hh; +}; + +struct receiver *receivers = NULL, *topReceivers = NULL; + + struct ndpi_packet_trailer { u_int32_t magic; /* 0x19682017 */ u_int16_t master_protocol /* e.g. HTTP */, app_protocol /* e.g. FaceBook */; @@ -1061,6 +1072,188 @@ static void updatePortStats(struct port_stats **stats, u_int32_t port, } } +/* *********************************************** */ + +/* @brief heuristic choice for receiver stats */ +static int acceptable(u_int32_t num_pkts){ + return num_pkts > 5; +} + +/* *********************************************** */ + +static int receivers_sort(void *_a, void *_b) { + struct receiver *a = (struct receiver *)_a; + struct receiver *b = (struct receiver *)_b; + + return(b->num_pkts - a->num_pkts); +} + +/* *********************************************** */ + +static int receivers_sort_asc(void *_a, void *_b) { + struct receiver *a = (struct receiver *)_a; + struct receiver *b = (struct receiver *)_b; + + return(a->num_pkts - b->num_pkts); +} + +/* ***************************************************** */ +/*@brief removes first (size - max) elements from hash table. + * hash table is ordered in ascending order. +*/ +static struct receiver *cutBackTo(struct receiver *receivers, u_int32_t max) { + struct receiver *r, *tmp; + int i=0; + int size; + int count; + + size = HASH_COUNT(receivers); + + if(size < max){ + printf("Error: invalid size value\n"); + exit(-1); + } + + count = size - max; + + HASH_ITER(hh, receivers, r, tmp) { + if(i++ == count) + return r; + HASH_DEL(receivers, r); + free(r); + } +} + +/* *********************************************** */ +/*@brief merge first table to the second table. + * if element already in the second table + * then updates its value + * else adds it to the second table +*/ +static void mergeTables(struct receiver *primary, struct receiver **secondary) { + struct receiver *r, *s, *tmp; + + HASH_ITER(hh, primary, r, tmp) { + HASH_FIND_INT(*secondary, (int *)&(r->addr), s); + if(s == NULL) + HASH_ADD_INT(*secondary, addr, r); + else + s->num_pkts += r->num_pkts; + } +} +/* *********************************************** */ +/*@brief resets a table without freeing its elements +*/ +static void resetReceivers(struct receiver *receivers) { + struct receiver *current, *tmp; + + HASH_ITER(hh, receivers, current, tmp) { + //HASH_DEL(receivers, current); + current = NULL; + } +} + +/* *********************************************** */ + +static void deleteReceivers(struct receiver *receivers) { + struct receiver *current, *tmp; + + HASH_ITER(hh, receivers, current, tmp) { + HASH_DEL(receivers, current); + free(current); + } +} + +/* *********************************************** */ +/* implementation of: https://jeroen.massar.ch/presentations/files/FloCon2010-TopK.pdf + * + * if (table1.size < max1 || acceptable){ + * create new element and add to the table1 + * if (table1.size > max2) { + * cut table1 back to max1 + * merge table 1 to table2 + * if(table2.size > max1) + * cut table2 back to max1 + * } + * } + * else + * update table1 +*/ +static void updateReceivers(struct receiver **receivers, u_int32_t dst_addr, + u_int8_t version, u_int32_t num_pkts, + struct receiver **topReceivers) { + struct receiver *r; + u_int32_t size; + int a; + + HASH_FIND_INT(*receivers, (int *)&dst_addr, r); + if(r == NULL) { + if(((size = HASH_COUNT(*receivers)) < MAX_TABLE_SIZE_1) + || ((a = acceptable(num_pkts)) != 0)){ + r = (struct receiver *)malloc(sizeof(struct receiver)); + if(!r) return; + + r->addr = dst_addr; + r->version = version; + r->num_pkts = num_pkts; + + HASH_ADD_INT(*receivers, addr, r); + + if((size = HASH_COUNT(*receivers)) > MAX_TABLE_SIZE_2){ + HASH_SORT(*receivers, receivers_sort_asc); + *receivers = cutBackTo(*receivers, MAX_TABLE_SIZE_1); + mergeTables(*receivers, topReceivers); + + if((size = HASH_COUNT(*topReceivers)) > MAX_TABLE_SIZE_1){ + HASH_SORT(*topReceivers, receivers_sort_asc); + *topReceivers = cutBackTo(*topReceivers, MAX_TABLE_SIZE_1); + } + + resetReceivers(*receivers); + *receivers = NULL; + } + } + } + else + r->num_pkts += num_pkts; +} + +/* *********************************************** */ + +#ifdef HAVE_JSON_C +static void saveReceiverStats(json_object **jObj_group, + struct receiver *receivers, + u_int64_t total_pkt_count) { + + json_object *jArray_stats = json_object_new_array(); + struct receiver *r, *tmp; + int i = 0; + + HASH_ITER(hh, receivers, r, tmp) { + json_object *jObj_stat = json_object_new_object(); + char addr_name[48]; + + if(r->version == IPVERSION) + inet_ntop(AF_INET, &(r->addr), addr_name, sizeof(addr_name)); + else + inet_ntop(AF_INET6, &(r->addr), addr_name, sizeof(addr_name)); + + + json_object_object_add(jObj_stat,"ip.address",json_object_new_string(addr_name)); + json_object_object_add(jObj_stat,"packets.number", json_object_new_int(r->num_pkts)); + json_object_object_add(jObj_stat,"packets.percent",json_object_new_double(((double)r->num_pkts) / total_pkt_count)); + + json_object_array_add(jArray_stats, jObj_stat); + + i++; + if(i >= 10) break; + } + + json_object_object_add(*jObj_group, "top.receiver.stats", jArray_stats); +} +#endif + + /* *********************************************** */ static void deleteScanners(struct single_flow_info *scanners) { @@ -1117,6 +1310,9 @@ static void port_stats_walker(const void *node, ndpi_VISIT which, int depth, voi updateScanners(&scannerHosts, flow->src_ip, flow->ip_version, dport); } + updateReceivers(&receivers, flow->dst_ip, flow->ip_version, + flow->src2dst_packets, &topReceivers); + updatePortStats(&srcStats, sport, flow->src_ip, flow->ip_version, flow->src2dst_packets, flow->src2dst_bytes, proto); @@ -1531,8 +1727,8 @@ static void saveTopStats(json_object **jObj_group, json_object *jObj_stat = json_object_new_object(); json_object_object_add(jObj_stat,"port",json_object_new_int(s->port)); - json_object_object_add(jObj_stat,"packets.number",json_object_new_int64(s->num_pkts)); - json_object_object_add(jObj_stat,"flows.number",json_object_new_double(s->num_flows)); + json_object_object_add(jObj_stat,"packets.number",json_object_new_int(s->num_pkts)); + json_object_object_add(jObj_stat,"flows.number",json_object_new_int(s->num_flows)); json_object_object_add(jObj_stat,"flows.percent",json_object_new_double((s->num_flows*100.0)/total_flow_count)); if(s->num_pkts) json_object_object_add(jObj_stat,"flows/packets", json_object_new_double(((double)s->num_flows)/s->num_pkts)); @@ -1570,7 +1766,7 @@ static void saveTopStats(json_object **jObj_group, json_object_object_add(jObj_stat,"port",json_object_new_int(s->port)); json_object_object_add(jObj_stat,"host.number",json_object_new_int64(s->num_addr)); json_object_object_add(jObj_stat,"host.percent",json_object_new_double((s->num_addr*100.0)/total_ip_addr)); - json_object_object_add(jObj_stat,"flows.number",json_object_new_double(s->num_flows)); + json_object_object_add(jObj_stat,"flows.number",json_object_new_int(s->num_flows)); json_object_array_add(jArray_stats,jObj_stat); i++; @@ -1895,11 +2091,13 @@ static void printResults(u_int64_t tot_usec) { fclose(json_fp); #endif } - - if(verbose == 3) { + + if(stats_flag || verbose == 3) { HASH_SORT(srcStats, port_stats_sort); HASH_SORT(dstStats, port_stats_sort); - + } + + if(verbose == 3) { printf("\n\nSource Ports Stats:\n"); printPortStats(srcStats); @@ -1911,12 +2109,22 @@ static void printResults(u_int64_t tot_usec) { #ifdef HAVE_JSON_C json_object *jObj_stats = json_object_new_object(); char timestamp[64]; + int count; strftime(timestamp, sizeof(timestamp), "%FT%TZ", localtime(&pcap_start.tv_sec)); json_object_object_add(jObj_stats, "time", json_object_new_string(timestamp)); saveScannerStats(&jObj_stats, &scannerHosts); + if((count = HASH_COUNT(topReceivers)) == 0){ + HASH_SORT(receivers, receivers_sort); + saveReceiverStats(&jObj_stats, receivers, cumulative_stats.ip_packet_count); + } + else{ + HASH_SORT(topReceivers, receivers_sort); + saveReceiverStats(&jObj_stats, topReceivers, cumulative_stats.ip_packet_count); + } + u_int64_t total_src_addr = getTopStats(srcStats); u_int64_t total_dst_addr = getTopStats(dstStats); @@ -1935,6 +2143,16 @@ static void printResults(u_int64_t tot_usec) { deleteScanners(scannerHosts); scannerHosts = NULL; } + + if(receivers){ + deleteReceivers(receivers); + receivers = NULL; + } + + if(topReceivers){ + deleteReceivers(topReceivers); + topReceivers = NULL; + } if(srcStats) { deletePortsStats(srcStats); @@ -2333,7 +2551,12 @@ void automataUnitTest() { * sent by source hosts. */ #ifdef HAVE_JSON_C -void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], int p_size, const char *host_array[16], int h_size) { +void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, + int port_array[], int p_size, + const char *src_host_array[16], + int sh_size, + const char *dst_host_array[16], + int dh_size) { char filter[2048]; int produced = 0; int i = 0; @@ -2359,7 +2582,7 @@ void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], } - if(host_array[0] != NULL) { + if(src_host_array[0] != NULL) { int l; if(port_array[0] != INIT_VAL) @@ -2367,15 +2590,42 @@ void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], else strcpy(filter, "not (src "); + i=0; + while(i < sh_size && src_host_array[i] != NULL) { + l = strlen(filter); + + if(i+1 == sh_size || src_host_array[i+1] == NULL) + snprintf(&filter[l], sizeof(filter)-l, "%s", src_host_array[i]); + else + snprintf(&filter[l], sizeof(filter)-l, "%s or ", src_host_array[i]); - while(i < h_size && host_array[i] != NULL) { + i++; + } + + l = strlen(filter); + snprintf(&filter[l], sizeof(filter)-l, "%s", ")"); + produced = 1; + } + + + if(dst_host_array[0] != NULL) { + int l; + + if(port_array[0] != INIT_VAL || src_host_array[0] != NULL) + strncat(filter, " and not (dst ", sizeof(" and not (dst ")); + else + strcpy(filter, "not (dst "); + + i=0; + + while(i < dh_size && dst_host_array[i] != NULL) { l = strlen(filter); - if(i+1 == h_size || host_array[i+1] == NULL) - snprintf(&filter[l], sizeof(filter)-l, "%s", host_array[i]); + if(i+1 == dh_size || dst_host_array[i+1] == NULL) + snprintf(&filter[l], sizeof(filter)-l, "%s", dst_host_array[i]); else - snprintf(&filter[l], sizeof(filter)-l, "%s or ", host_array[i]); + snprintf(&filter[l], sizeof(filter)-l, "%s or ", dst_host_array[i]); i++; } @@ -2385,6 +2635,8 @@ void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], produced = 1; } + + if(produced) json_object_object_add(*jObj_bpfFilter, "pkt.peak.filter", json_object_new_string(filter)); else @@ -2399,7 +2651,9 @@ void bpf_filter_pkt_peak_filter(json_object **jObj_bpfFilter, int port_array[], * addresses. */ #ifdef HAVE_JSON_C -void bpf_filter_host_peak_filter(json_object **jObj_bpfFilter, const char *host_array[16], int h_size) { +void bpf_filter_host_peak_filter(json_object **jObj_bpfFilter, + const char *host_array[16], + int h_size) { char filter[2048]; int produced = 0; int i = 0; @@ -2511,7 +2765,7 @@ float getAverage(struct json_object *jObj_stat, char *field){ int r; int j; - if((r = strcmp(field, "top.scanner.stats")) == 0){ + if((r = strcmp(field, "top.scanner.stats")) == 0) { for(j=0; j threshold) - * and have (#flows > %1 of total flows) to the srcPortArray - * to filter - */ -void getPacketBasedSourcePortsToFilter(struct json_object *jObj_stat, int srcPortArray[], int size) { +void getSourcePorts(struct json_object *jObj_stat, int srcPortArray[], int size, float threshold) { int j; for(j=0; j FLOWS_PACKETS_THRESHOLD) && (flows_percent >= FLOWS_PERCENT_THRESHOLD)) { + if((flows_packets > FLOWS_PACKETS_THRESHOLD) + && (flows_percent >= FLOWS_PERCENT_THRESHOLD) + && packets_number >= threshold) { if((res = json_object_object_get_ex(src_pkts_stat, "port", &jObj_port)) == 0) { fprintf(stderr, "ERROR: can't get \"port\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); @@ -2611,73 +2882,66 @@ void getPacketBasedSourcePortsToFilter(struct json_object *jObj_stat, int srcPor /* *********************************************** */ -/* - * @brief add scanner hosts which have more than 1000 - * flows per second to the srcHostArray to filter - */ #ifdef HAVE_JSON_C -void getScannerHostsToFilter(struct json_object *jObj_stat, int duration, - const char *srcHostArray[48], int size, - float threshold) { +void getReceiverHosts(struct json_object *jObj_stat, const char *dstHostArray[16], int size) { int j; for(j=0; j FLOWS_THRESHOLD) && tot_flows_number > threshold) { + if(pkts_percent > PKTS_PERCENT_THRESHOLD) { if((res = json_object_object_get_ex(scanner_stat, "ip.address", &jObj_host_address)) == 0) { - fprintf(stderr, "ERROR: can't get \"ip.address\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + fprintf(stderr, "ERROR: can't get \"ip.address, use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } const char *host_address = json_object_get_string(jObj_host_address); - bpf_filter_host_array_add(srcHostArray, size, host_address); - + bpf_filter_host_array_add(dstHostArray, size, host_address); } } } #endif /* *********************************************** */ -/* - * @brief add to the dstHostArray to filter destination - * hosts which have more than 2 percent of flows per minute - */ + #ifdef HAVE_JSON_C -void getTopReceiverHostsToFilter(struct json_object *jObj_stat, int duration, const char *dstHostArray[16], int size) { +void getScannerHosts(struct json_object *jObj_stat, int duration, + const char *srcHostArray[48], int size, + float threshold) { int j; for(j=0; j 0.2) { - if((res = json_object_object_get_ex(scanner_stat, "aggressive.host", &jObj_host_address)) == 0) { - fprintf(stderr, "ERROR: can't get \"aggressive.host\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + if(((tot_flows_number/(float)duration) > FLOWS_THRESHOLD) && tot_flows_number > threshold) { + if((res = json_object_object_get_ex(scanner_stat, "ip.address", &jObj_host_address)) == 0) { + fprintf(stderr, "ERROR: can't get \"ip.address\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } const char *host_address = json_object_get_string(jObj_host_address); - bpf_filter_host_array_add(dstHostArray, size, host_address); + bpf_filter_host_array_add(srcHostArray, size, host_address); } } @@ -2685,35 +2949,35 @@ void getTopReceiverHostsToFilter(struct json_object *jObj_stat, int duration, co #endif /* *********************************************** */ -/* - * @brief add ports which have more than 1000 flows per - * second to the srcHostArray to filter - */ + #ifdef HAVE_JSON_C -void getHostBasedSourcePortsToFilter(struct json_object *jObj_stat, int duration, int srcPortArray[], int size) { +void getDestinationHosts(struct json_object *jObj_stat, int duration, + const char *dstHostArray[16], int size) { int j; for(j=0; j 1000) { - if((res = json_object_object_get_ex(src_pkts_stat, "port", &jObj_port)) == 0) { - fprintf(stderr, "ERROR: can't get \"port\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); + if(flows_percent > FLOWS_PERCENT_THRESHOLD_2) { + if((res = json_object_object_get_ex(scanner_stat, "aggressive.host", &jObj_host_address)) == 0) { + fprintf(stderr, "ERROR: can't get \"aggressive.host\", use -x flag only with .json files generated by ndpiReader -b flag.\n"); exit(-1); } - int port = json_object_get_int(jObj_port); + const char *host_address = json_object_get_string(jObj_host_address); + + bpf_filter_host_array_add(dstHostArray, size, host_address); - bpf_filter_port_array_add(srcPortArray, size, port); } } } @@ -2730,7 +2994,12 @@ static void produceBpfFilter(char *filePath) { int filterSrcPorts[PORT_ARRAY_SIZE]; const char *filterSrcHosts[48]; const char *filterDstHosts[48]; + const char *filterPktDstHosts[48]; struct stat statbuf; + FILE *fp = NULL; + char *fileName; + char _filterFilePath[1024]; + json_object *jObj_bpfFilter; void *fmap; int fsock; float average; @@ -2739,11 +3008,7 @@ static void produceBpfFilter(char *filePath) { int typeCheck; int array_len; int i; - FILE *fp = NULL; - char *fileName; - char _filterFilePath[1024]; - json_object *jObj_bpfFilter; - + if((fsock = open(filePath, O_RDONLY)) == -1) { fprintf(stderr,"error opening file %s\n", filePath); exit(-1); @@ -2787,6 +3052,7 @@ static void produceBpfFilter(char *filePath) { bpf_filter_port_array_init(filterSrcPorts, PORT_ARRAY_SIZE); bpf_filter_host_array_init(filterSrcHosts, HOST_ARRAY_SIZE); bpf_filter_host_array_init(filterDstHosts, HOST_ARRAY_SIZE); + bpf_filter_host_array_init(filterPktDstHosts, HOST_ARRAY_SIZE/2); for(i=0; i Date: Sat, 14 Oct 2017 14:38:48 +0300 Subject: Refactoring the debugging output. levels of debug output: 0 - ERROR: Only for errors. 1 - TRACE: Start of each packets and if found protocol. 2 - DEBUG: Start of searching each protocol and excluding protocols. 3 - DEBUG_EXTRA: For all other messages. Added field ndpi_struct->debug_logging for enable debug output of each protocols. Simple macros for debugging output are added: NDPI_LOG_ERR(), NDPI_LOG_INFO(), NDPI_LOG_DBG(), NDPI_LOG_DBG2(), NDPI_EXCLUDE_PROTO() --- example/ndpiReader.c | 37 +++++-- example/ndpi_util.c | 66 ++++++++++++ example/ndpi_util.h | 3 + src/include/ndpi_api.h | 14 +++ src/include/ndpi_define.h.in | 69 ++++++++++--- src/include/ndpi_typedefs.h | 5 +- src/lib/ndpi_main.c | 166 ++++++++++++++++++------------ src/lib/protocols/afp.c | 15 ++- src/lib/protocols/aimini.c | 74 +++++++------- src/lib/protocols/amqp.c | 13 ++- src/lib/protocols/applejuice.c | 15 +-- src/lib/protocols/armagetron.c | 22 ++-- src/lib/protocols/ayiya.c | 14 ++- src/lib/protocols/battlefield.c | 22 ++-- src/lib/protocols/bgp.c | 16 ++- src/lib/protocols/bittorrent.c | 84 +++++++--------- src/lib/protocols/bjnp.c | 12 ++- src/lib/protocols/btlib.c | 2 +- src/lib/protocols/ciscovpn.c | 21 ++-- src/lib/protocols/citrix.c | 21 ++-- src/lib/protocols/coap.c | 20 ++-- src/lib/protocols/collectd.c | 14 ++- src/lib/protocols/corba.c | 15 +-- src/lib/protocols/crossfire.c | 34 +++---- src/lib/protocols/csgo.c | 34 ++++--- src/lib/protocols/dcerpc.c | 15 ++- src/lib/protocols/dhcp.c | 24 ++--- src/lib/protocols/dhcpv6.c | 16 +-- src/lib/protocols/directconnect.c | 131 +++++++++--------------- src/lib/protocols/directdownloadlink.c | 36 ++++--- src/lib/protocols/dns.c | 28 +++--- src/lib/protocols/dofus.c | 100 +++++++++--------- src/lib/protocols/drda.c | 13 ++- src/lib/protocols/dropbox.c | 13 ++- src/lib/protocols/eaq.c | 59 ++++++----- src/lib/protocols/edonkey.c | 22 ++-- src/lib/protocols/fasttrack.c | 22 ++-- src/lib/protocols/fiesta.c | 24 ++--- src/lib/protocols/filetopia.c | 17 ++-- src/lib/protocols/fix.c | 17 +++- src/lib/protocols/florensia.c | 38 ++++--- src/lib/protocols/ftp_control.c | 24 +++-- src/lib/protocols/ftp_data.c | 16 +-- src/lib/protocols/git.c | 15 ++- src/lib/protocols/gnutella.c | 86 +++++++--------- src/lib/protocols/gtp.c | 12 ++- src/lib/protocols/guildwars.c | 20 ++-- src/lib/protocols/h323.c | 27 +++-- src/lib/protocols/halflife2_and_mods.c | 17 ++-- src/lib/protocols/hangout.c | 15 ++- src/lib/protocols/hep.c | 15 ++- src/lib/protocols/http.c | 179 +++++++++++++++++---------------- src/lib/protocols/http_activesync.c | 15 ++- src/lib/protocols/iax.c | 16 +-- src/lib/protocols/icecast.c | 18 ++-- src/lib/protocols/ipp.c | 35 +++---- src/lib/protocols/irc.c | 156 ++++++++++++---------------- src/lib/protocols/jabber.c | 94 ++++++++--------- src/lib/protocols/kakaotalk_voice.c | 13 ++- src/lib/protocols/kerberos.c | 23 ++--- src/lib/protocols/kontiki.c | 18 ++-- src/lib/protocols/ldap.c | 29 +++--- src/lib/protocols/lisp.c | 17 ++-- src/lib/protocols/lotus_notes.c | 51 +++++----- src/lib/protocols/mail_imap.c | 20 ++-- src/lib/protocols/mail_pop.c | 26 +++-- src/lib/protocols/mail_smtp.c | 23 ++--- src/lib/protocols/maplestory.c | 20 ++-- src/lib/protocols/mdns.c | 20 ++-- src/lib/protocols/megaco.c | 13 ++- src/lib/protocols/mgcp.c | 71 +++++++------ src/lib/protocols/mms.c | 19 ++-- src/lib/protocols/mpegts.c | 13 ++- src/lib/protocols/mqtt.c | 89 ++++++++-------- src/lib/protocols/msn.c | 96 +++++++++--------- src/lib/protocols/mssql_tds.c | 17 ++-- src/lib/protocols/mysql.c | 15 ++- src/lib/protocols/netbios.c | 89 +++++++--------- src/lib/protocols/netflow.c | 21 ++-- src/lib/protocols/nfs.c | 24 +++-- src/lib/protocols/nintendo.c | 12 ++- src/lib/protocols/noe.c | 19 ++-- src/lib/protocols/ntp.c | 40 ++++---- src/lib/protocols/openft.c | 15 +-- src/lib/protocols/openvpn.c | 22 ++-- src/lib/protocols/oracle.c | 17 ++-- src/lib/protocols/oscar.c | 75 +++++++------- src/lib/protocols/pando.c | 37 +++---- src/lib/protocols/pcanywhere.c | 16 +-- src/lib/protocols/postgres.c | 27 ++--- src/lib/protocols/pplive.c | 58 +++++------ src/lib/protocols/ppstream.c | 32 ++---- src/lib/protocols/pptp.c | 16 ++- src/lib/protocols/qq.c | 80 +++++++-------- src/lib/protocols/quake.c | 22 ++-- src/lib/protocols/quic.c | 13 ++- src/lib/protocols/radius.c | 13 ++- src/lib/protocols/rdp.c | 14 ++- src/lib/protocols/redis_net.c | 16 +-- src/lib/protocols/rsync.c | 15 +-- src/lib/protocols/rtcp.c | 18 ++-- src/lib/protocols/rtmp.c | 21 ++-- src/lib/protocols/rtp.c | 85 ++++++++-------- src/lib/protocols/rtsp.c | 42 ++++---- src/lib/protocols/rx.c | 32 +++--- src/lib/protocols/sflow.c | 20 ++-- src/lib/protocols/shoutcast.c | 28 +++--- src/lib/protocols/sip.c | 48 ++++----- src/lib/protocols/skinny.c | 16 +-- src/lib/protocols/skype.c | 20 ++-- src/lib/protocols/smb.c | 14 ++- src/lib/protocols/smpp.c | 35 +++---- src/lib/protocols/snmp.c | 37 +++---- src/lib/protocols/socks45.c | 33 +++--- src/lib/protocols/socrates.c | 27 +++-- src/lib/protocols/someip.c | 52 +++++----- src/lib/protocols/sopcast.c | 36 +++---- src/lib/protocols/soulseek.c | 128 ++++++++--------------- src/lib/protocols/spotify.c | 18 ++-- src/lib/protocols/ssdp.c | 18 ++-- src/lib/protocols/ssh.c | 14 +-- src/lib/protocols/ssl.c | 75 +++++++------- src/lib/protocols/starcraft.c | 28 +++--- src/lib/protocols/stealthnet.c | 17 ++-- src/lib/protocols/steam.c | 71 ++++++------- src/lib/protocols/stun.c | 33 +++--- src/lib/protocols/syslog.c | 41 ++++---- src/lib/protocols/teamspeak.c | 40 ++++---- src/lib/protocols/teamviewer.c | 15 ++- src/lib/protocols/telegram.c | 12 ++- src/lib/protocols/telnet.c | 19 ++-- src/lib/protocols/teredo.c | 16 ++- src/lib/protocols/tftp.c | 17 ++-- src/lib/protocols/thunder.c | 45 ++++----- src/lib/protocols/tinc.c | 14 +-- src/lib/protocols/tor.c | 16 +-- src/lib/protocols/tvants.c | 21 ++-- src/lib/protocols/tvuplayer.c | 33 +++--- src/lib/protocols/ubntac2.c | 14 ++- src/lib/protocols/usenet.c | 38 +++---- src/lib/protocols/vhua.c | 12 ++- src/lib/protocols/viber.c | 15 +-- src/lib/protocols/vmware.c | 12 ++- src/lib/protocols/vnc.c | 13 ++- src/lib/protocols/warcraft3.c | 34 +++---- src/lib/protocols/whoisdas.c | 16 ++- src/lib/protocols/world_of_kung_fu.c | 17 ++-- src/lib/protocols/world_of_warcraft.c | 49 ++++----- src/lib/protocols/xbox.c | 18 ++-- src/lib/protocols/xdmcp.c | 19 ++-- src/lib/protocols/yahoo.c | 84 +++++++--------- src/lib/protocols/zattoo.c | 131 ++++++++---------------- src/lib/protocols/zeromq.c | 12 ++- 153 files changed, 2678 insertions(+), 2490 deletions(-) (limited to 'example/ndpi_util.h') diff --git a/example/ndpiReader.c b/example/ndpiReader.c index 8d8ee47b0..7a60fddb7 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -77,7 +77,9 @@ static json_object *jArray_topStats; static u_int8_t live_capture = 0; static u_int8_t undetected_flows_deleted = 0; /** User preferences **/ -static u_int8_t enable_protocol_guess = 1, verbose = 0, nDPI_traceLevel = 0, json_flag = 0; +static u_int8_t enable_protocol_guess = 1, verbose = 0, json_flag = 0; +int nDPI_LogLevel = 0; +char *_debug_protocols = NULL; static u_int8_t stats_flag = 0, bpf_filter_flag = 0; #ifdef HAVE_JSON_C static u_int8_t file_first_time = 1; @@ -250,9 +252,12 @@ static void help(u_int long_help) { " | 1 = verbose\n" " | 2 = very verbose\n" " | 3 = port stats\n" - " -b | Specify a file to write port based diagnose statistics\n" - " -x | Produce bpf filters for specified diagnose file. Use\n" - " | this option only for .json files generated with -b flag.\n"); + " -V <1-4> | nDPI logging level\n" + " | 1 - trace, 2 - debug, 3 - full debug\n" + " | >3 - full debug + dbg_proto = all\n" + " -b | Specify a file to write port based diagnose statistics\n" + " -x | Produce bpf filters for specified diagnose file. Use\n" + " | this option only for .json files generated with -b flag.\n"); #ifndef WIN32 @@ -266,6 +271,7 @@ static void help(u_int long_help) { " --extcap-capture-filter\n" " --fifo \n" " --debug\n" + " --dbg-proto proto|num[,...]\n" ); #endif @@ -289,7 +295,8 @@ static struct option longopts[] = { { "capture", no_argument, NULL, '5'}, { "extcap-capture-filter", required_argument, NULL, '6'}, { "fifo", required_argument, NULL, '7'}, - { "debug", optional_argument, NULL, '8'}, + { "debug", no_argument, NULL, '8'}, + { "dbg-proto", required_argument, NULL, 257}, { "ndpi-proto-filter", required_argument, NULL, '9'}, /* ndpiReader options */ @@ -519,8 +526,12 @@ static void parseOptions(int argc, char **argv) { break; case 'V': - printf("%d\n",atoi(optarg) ); - nDPI_traceLevel = atoi(optarg); + nDPI_LogLevel = atoi(optarg); + if(nDPI_LogLevel < 0) nDPI_LogLevel = 0; + if(nDPI_LogLevel > 3) { + nDPI_LogLevel = 3; + _debug_protocols = strdup("all"); + } break; case 'h': @@ -546,6 +557,7 @@ static void parseOptions(int argc, char **argv) { case 'q': quiet_mode = 1; + nDPI_LogLevel = 0; break; /* Extcap */ @@ -574,12 +586,17 @@ static void parseOptions(int argc, char **argv) { break; case '8': - nDPI_traceLevel = 9; + nDPI_LogLevel = NDPI_LOG_DEBUG_EXTRA; + _debug_protocols = strdup("all"); break; case '9': extcap_packet_filter = atoi(optarg); break; + + case 257: + _debug_protocols = strdup(optarg); + break; default: help(0); @@ -985,7 +1002,6 @@ void updateTopIpAddress(u_int32_t addr, u_int8_t version, const char *proto, int min = count; int update = 0; int min_i = 0; - int r; int i; if(count == 0) return; @@ -1117,6 +1133,7 @@ static struct receiver *cutBackTo(struct receiver **receivers, u_int32_t size, u HASH_DEL(*receivers, r); free(r); } + return NULL; } /* *********************************************** */ @@ -1381,7 +1398,7 @@ static void debug_printf(u_int32_t protocol, void *id_struct, struct tm result; #endif - if(log_level <= nDPI_traceLevel) { + if(log_level <= nDPI_LogLevel) { char buf[8192], out_buf[8192]; char theDate[32]; const char *extra_msg = ""; diff --git a/example/ndpi_util.c b/example/ndpi_util.c index d57e9e90e..11f66049c 100644 --- a/example/ndpi_util.c +++ b/example/ndpi_util.c @@ -105,6 +105,61 @@ static void free_wrapper(void *freeable) { /* ***************************************************** */ +static uint16_t ndpi_get_proto_id(struct ndpi_detection_module_struct *ndpi_mod, const char *name) { + uint16_t proto_id; + char *e; + unsigned long p = strtol(name,&e,0); + if(e && !*e) { + if(p < NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS && + ndpi_mod->proto_defaults[p].protoName) return (uint16_t)p; + return NDPI_PROTOCOL_UNKNOWN; + } + for(proto_id=NDPI_PROTOCOL_UNKNOWN; proto_id < NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS; proto_id++) { + if(ndpi_mod->proto_defaults[proto_id].protoName && + !strcasecmp(ndpi_mod->proto_defaults[proto_id].protoName,name)) + return proto_id; + } + return NDPI_PROTOCOL_UNKNOWN; +} +static NDPI_PROTOCOL_BITMASK debug_bitmask; +static char _proto_delim[] = " \t,:;"; +static int parse_debug_proto(struct ndpi_detection_module_struct *ndpi_mod, char *str) { +char *n; +uint16_t proto; +char op=1; +for(n = strtok(str,_proto_delim); n && *n; n = strtok(NULL,_proto_delim)) { + if(*n == '-') { + op = 0; + n++; + } else if(*n == '+') { + op = 1; + n++; + } + if(!strcmp(n,"all")) { + if(op) + NDPI_BITMASK_SET_ALL(debug_bitmask); + else + NDPI_BITMASK_RESET(debug_bitmask); + continue; + } + proto = ndpi_get_proto_id(ndpi_mod, n); + if(proto == NDPI_PROTOCOL_UNKNOWN && strcmp(n,"unknown") && strcmp(n,"0")) { + fprintf(stderr,"Invalid protocol %s\n",n); + return 1; + } + if(op) + NDPI_BITMASK_ADD(debug_bitmask,proto); + else + NDPI_BITMASK_DEL(debug_bitmask,proto); +} +return 0; +} + +/* ***************************************************** */ + +extern char *_debug_protocols; +static int _debug_protocols_ok = 0; + struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * prefs, pcap_t * pcap_handle) { set_ndpi_malloc(malloc_wrapper), set_ndpi_free(free_wrapper); set_ndpi_flow_malloc(NULL), set_ndpi_flow_free(NULL); @@ -121,7 +176,18 @@ struct ndpi_workflow * ndpi_workflow_init(const struct ndpi_workflow_prefs * pre NDPI_LOG(0, NULL, NDPI_LOG_ERROR, "global structure initialization failed\n"); exit(-1); } + module->ndpi_log_level = nDPI_LogLevel; + if(_debug_protocols != NULL && ! _debug_protocols_ok) { + if(parse_debug_proto(module,_debug_protocols)) + exit(-1); + _debug_protocols_ok = 1; + } +#ifdef NDPI_ENABLE_DEBUG_MESSAGES + NDPI_BITMASK_RESET(module->debug_bitmask); + if(_debug_protocols_ok) + module->debug_bitmask = debug_bitmask; +#endif workflow->ndpi_flows_root = ndpi_calloc(workflow->prefs.num_roots, sizeof(void *)); return workflow; } diff --git a/example/ndpi_util.h b/example/ndpi_util.h index 51bc09ddb..7abebe4f5 100644 --- a/example/ndpi_util.h +++ b/example/ndpi_util.h @@ -179,4 +179,7 @@ int ndpi_workflow_node_cmp(const void *a, const void *b); void process_ndpi_collected_info(struct ndpi_workflow * workflow, struct ndpi_flow_info *flow); u_int32_t ethernet_crc32(const void* data, size_t n_bytes); void ndpi_flow_info_freer(void *node); + +extern int nDPI_LogLevel; + #endif diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h index 4193a2c57..2062974ad 100644 --- a/src/include/ndpi_api.h +++ b/src/include/ndpi_api.h @@ -383,6 +383,20 @@ extern "C" { u_int16_t master_protocol_id); + /** + * Exclude protocol from search + * + * @par ndpi_struct = the detection module + * @par flow = the flow where match the host + * @par master_protocol_id = value of the ID associated to the master protocol detected + * + */ + void ndpi_exclude_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t master_protocol_id, + const char *_file, const char *_func,int _line); + + /** * Check if the string -bigram_to_match- match with a bigram of -automa- * diff --git a/src/include/ndpi_define.h.in b/src/include/ndpi_define.h.in index 33c3c622e..c6c1f4481 100644 --- a/src/include/ndpi_define.h.in +++ b/src/include/ndpi_define.h.in @@ -180,24 +180,67 @@ #define NDPI_SOULSEEK_CONNECTION_IP_TICK_TIMEOUT 600 #ifdef NDPI_ENABLE_DEBUG_MESSAGES -#define NDPI_LOG(proto, m, log_level, args...) \ + #define NDPI_LOG(proto, m, log_level, args...) \ { \ struct ndpi_detection_module_struct *mod = (struct ndpi_detection_module_struct*) m; \ - if(mod != NULL) { \ - mod->ndpi_debug_print_file=__FILE__; \ - mod->ndpi_debug_print_function=__FUNCTION__; \ - mod->ndpi_debug_print_line=__LINE__; \ - (*(mod->ndpi_debug_printf))(proto, mod, log_level, args); \ - } \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(proto, mod, log_level, __FILE__, __FUNCTION__, __LINE__, args); \ } -#else /* NDPI_ENABLE_DEBUG_MESSAGES */ -#ifdef WIN32 -#define NDPI_LOG(...) {} -#else -#define NDPI_LOG(proto, mod, log_level, args...) {} -#endif + + /* We must define NDPI_CURRENT_PROTO before include ndpi_main.h !!! + * + * #include "ndpi_protocol_ids.h" + * #define NDPI_CURRENT_PROTO NDPI_PROTOCOL_XXXX + * #include "ndpi_api.h" + * + */ + + #ifndef NDPI_CURRENT_PROTO + #define NDPI_CURRENT_PROTO NDPI_PROTO_UNKNOWN + #endif + + #define NDPI_LOG_ERR(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_ERROR) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_ERROR , __FILE__, __FUNCTION__, __LINE__, args); \ + } + + #define NDPI_LOG_INFO(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_TRACE) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_TRACE , __FILE__, __FUNCTION__, __LINE__, args); \ + } + + #define NDPI_LOG_DBG(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_DEBUG) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_DEBUG , __FILE__, __FUNCTION__, __LINE__, args); \ + } + + #define NDPI_LOG_DBG2(mod, args...) \ + if(mod && mod->ndpi_log_level >= NDPI_LOG_DEBUG_EXTRA) { \ + if(mod != NULL && mod->ndpi_debug_printf != NULL) \ + (*(mod->ndpi_debug_printf))(NDPI_CURRENT_PROTO, mod, NDPI_LOG_DEBUG_EXTRA , __FILE__, __FUNCTION__, __LINE__, args); \ + } + +#else /* not defined NDPI_ENABLE_DEBUG_MESSAGES */ +# ifdef WIN32 +# define NDPI_LOG(...) {} +# define NDPI_LOG_ERR(...) {} +# define NDPI_LOG_INFO(...) {} +# define NDPI_LOG_DBG(...) {} +# define NDPI_LOG_DBG2(...) {} +# else +# define NDPI_LOG(proto, mod, log_level, args...) {} +# define NDPI_LOG_ERR(mod, args...) {} +# define NDPI_LOG_INFO(mod, args...) {} +# define NDPI_LOG_DBG(mod, args...) {} +# define NDPI_LOG_DBG2(mod, args...) {} +# endif #endif /* NDPI_ENABLE_DEBUG_MESSAGES */ +#define NDPI_EXCLUDE_PROTO(mod,flow) ndpi_exclude_protocol(mod, flow, NDPI_CURRENT_PROTO, __FILE__, __FUNCTION__, __LINE__) + /** * macro for getting the string len of a static string * diff --git a/src/include/ndpi_typedefs.h b/src/include/ndpi_typedefs.h index 33043fde5..92b6a1a7a 100644 --- a/src/include/ndpi_typedefs.h +++ b/src/include/ndpi_typedefs.h @@ -36,7 +36,8 @@ typedef enum { NDPI_LOG_ERROR, NDPI_LOG_TRACE, - NDPI_LOG_DEBUG + NDPI_LOG_DEBUG, + NDPI_LOG_DEBUG_EXTRA } ndpi_log_level_t; /* NDPI_VISIT */ @@ -859,12 +860,14 @@ struct ndpi_detection_module_struct { ndpi_default_ports_tree_node_t *tcpRoot, *udpRoot; + ndpi_log_level_t ndpi_log_level; /* default error */ #ifdef NDPI_ENABLE_DEBUG_MESSAGES /* debug callback, only set when debug is used */ ndpi_debug_function_ptr ndpi_debug_printf; const char *ndpi_debug_print_file; const char *ndpi_debug_print_function; u_int32_t ndpi_debug_print_line; + NDPI_PROTOCOL_BITMASK debug_bitmask; #endif /* misc parameters */ diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c index d7583f520..1e01489e7 100644 --- a/src/lib/ndpi_main.c +++ b/src/lib/ndpi_main.c @@ -24,6 +24,9 @@ #include #include #include "ahocorasick.h" + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNKNOWN + #include "ndpi_api.h" #include "../../config.h" @@ -36,6 +39,7 @@ #include "third_party/include/ndpi_patricia.h" #include "third_party/src/ndpi_patricia.c" +static int _ndpi_debug_callbacks = 0; /* implementation of the punycode check function */ int check_punycode_string(char * buffer , int len) @@ -301,10 +305,12 @@ int strncasecmp(s1, s2, n) /* ****************************************** */ /* Forward */ -static void addDefaultPort(ndpi_port_range *range, +static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_mod, + ndpi_port_range *range, ndpi_proto_defaults_t *def, u_int8_t customUserProto, - ndpi_default_ports_tree_node_t **root); + ndpi_default_ports_tree_node_t **root, + const char *_func, int _line); static int removeDefaultPort(ndpi_port_range *range, ndpi_proto_defaults_t *def, @@ -477,6 +483,27 @@ u_int8_t ndpi_is_subprotocol_informative(struct ndpi_detection_module_struct *nd return(0); } } +/* ********************************************************************************** */ + +void ndpi_exclude_protocol(struct ndpi_detection_module_struct *ndpi_struct, + struct ndpi_flow_struct *flow, + u_int16_t protocol_id, + const char *_file, const char *_func,int _line) { + + if(protocol_id < NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS) { +#ifdef NDPI_ENABLE_DEBUG_MESSAGES + if ( ndpi_struct && + ndpi_struct->ndpi_log_level >= NDPI_LOG_DEBUG && + ndpi_struct->ndpi_debug_printf != NULL) { + + (*(ndpi_struct->ndpi_debug_printf))(protocol_id, ndpi_struct, NDPI_LOG_DEBUG, + _file, _func, _line, "exclude %s\n",ndpi_get_proto_name(ndpi_struct, protocol_id)); + + } +#endif + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, protocol_id); + } +} /* ********************************************************************************** */ @@ -490,14 +517,14 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod, if(protoId >= NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS) { #ifdef DEBUG - printf("[NDPI] %s(%s/protoId=%d): INTERNAL ERROR\n", __FUNCTION__, protoName, protoId); + NDPI_LOG_ERR(ndpi_mod, "[NDPI] %s/protoId=%d: INTERNAL ERROR\n", protoName, protoId); #endif return; } if(ndpi_mod->proto_defaults[protoId].protoName != NULL) { #ifdef DEBUG - printf("[NDPI] %s(%s/protoId=%d): already initialized. Ignoring it\n", __FUNCTION__, protoName, protoId); + NDPI_LOG_ERR(ndpi_mod, "[NDPI] %s/protoId=%d: already initialized. Ignoring it\n", protoName, protoId); #endif return; } @@ -513,8 +540,8 @@ void ndpi_set_proto_defaults(struct ndpi_detection_module_struct *ndpi_mod, memcpy(&ndpi_mod->proto_defaults[protoId].master_udp_protoId, udp_master_protoId, 2*sizeof(u_int16_t)); for(j=0; jproto_defaults[protoId], 0, &ndpi_mod->udpRoot); - if(tcpDefPorts[j].port_low != 0) addDefaultPort(&tcpDefPorts[j], &ndpi_mod->proto_defaults[protoId], 0, &ndpi_mod->tcpRoot); + if(udpDefPorts[j].port_low != 0) addDefaultPort(ndpi_mod, &udpDefPorts[j], &ndpi_mod->proto_defaults[protoId], 0, &ndpi_mod->udpRoot, __FUNCTION__,__LINE__); + if(tcpDefPorts[j].port_low != 0) addDefaultPort(ndpi_mod, &tcpDefPorts[j], &ndpi_mod->proto_defaults[protoId], 0, &ndpi_mod->tcpRoot, __FUNCTION__,__LINE__); } } @@ -536,7 +563,6 @@ void ndpi_default_ports_tree_node_t_walker(const void *node, const ndpi_VISIT wh { ndpi_default_ports_tree_node_t *f = *(ndpi_default_ports_tree_node_t **)node; - printf("<%d>Walk on node %s (%u)\n", depth, which == ndpi_preorder?"ndpi_preorder": @@ -548,10 +574,12 @@ void ndpi_default_ports_tree_node_t_walker(const void *node, const ndpi_VISIT wh /* ******************************************************************** */ -static void addDefaultPort(ndpi_port_range *range, +static void addDefaultPort(struct ndpi_detection_module_struct *ndpi_mod, + ndpi_port_range *range, ndpi_proto_defaults_t *def, u_int8_t customUserProto, - ndpi_default_ports_tree_node_t **root) + ndpi_default_ports_tree_node_t **root, + const char *_func, int _line) { ndpi_default_ports_tree_node_t *ret; u_int16_t port; @@ -560,7 +588,7 @@ static void addDefaultPort(ndpi_port_range *range, ndpi_default_ports_tree_node_t *node = (ndpi_default_ports_tree_node_t*)ndpi_malloc(sizeof(ndpi_default_ports_tree_node_t)); if(!node) { - printf("[NDPI] %s(): not enough memory\n", __FUNCTION__); + NDPI_LOG_ERR(ndpi_mod, "%s:%d not enough memory\n", _func, _line); break; } @@ -568,7 +596,8 @@ static void addDefaultPort(ndpi_port_range *range, ret = *(ndpi_default_ports_tree_node_t**)ndpi_tsearch(node, (void*)root, ndpi_default_ports_tree_node_t_cmp); /* Add it to the tree */ if(ret != node) { - /* printf("[NDPI] %s(): found duplicate for port %u: overwriting it with new value\n", __FUNCTION__, port); */ + NDPI_LOG_DBG(ndpi_mod, "[NDPI] %s:%d found duplicate for port %u: overwriting it with new value\n", + _func, _line, port); ret->proto = def; ndpi_free(node); @@ -616,7 +645,7 @@ static int ndpi_string_to_automa(struct ndpi_detection_module_struct *ndpi_struc AC_PATTERN_t ac_pattern; if(protocol_id >= (NDPI_MAX_SUPPORTED_PROTOCOLS+NDPI_MAX_NUM_CUSTOM_PROTOCOLS)) { - printf("[NDPI] %s(protoId=%d): INTERNAL ERROR\n", __FUNCTION__, protocol_id); + NDPI_LOG_ERR(ndpi_struct, "[NDPI] protoId=%d: INTERNAL ERROR\n", protocol_id); return(-1); } @@ -640,7 +669,7 @@ static int ndpi_add_host_url_subprotocol(struct ndpi_detection_module_struct *nd ndpi_protocol_breed_t breed) { #ifdef DEBUG - printf("[NDPI] Adding [%s][%d]\n", value, protocol_id); + NDPI_LOG_DEBUG2(ndpi_struct, "[NDPI] Adding [%s][%d]\n", value, protocol_id); #endif return(ndpi_string_to_automa(ndpi_struct, &ndpi_struct->host_automa, @@ -668,7 +697,7 @@ int ndpi_add_content_subprotocol(struct ndpi_detection_module_struct *ndpi_struc static int ndpi_remove_host_url_subprotocol(struct ndpi_detection_module_struct *ndpi_struct, char *value, int protocol_id) { - printf("[NDPI] Missing implementation of %s()\n", __FUNCTION__); + NDPI_LOG_ERR(ndpi_struct, "[NDPI] Missing implementation for proto %s/%d\n",value,protocol_id); return(-1); } @@ -1686,9 +1715,8 @@ static void ndpi_init_protocol_defaults(struct ndpi_detection_module_struct *ndp if((ndpi_mod->proto_defaults[i].protoName == NULL) || ((i != NDPI_PROTOCOL_UNKNOWN) && (ndpi_mod->proto_defaults[i].protoCategory == NDPI_PROTOCOL_CATEGORY_UNSPECIFIED))) { - printf("[NDPI] %s(missing protoId=%d/%s) INTERNAL ERROR: not all protocols have been initialized\n", - __FUNCTION__, i, - ndpi_mod->proto_defaults[i].protoName ? ndpi_mod->proto_defaults[i].protoName : "???"); + NDPI_LOG_ERR(ndpi_mod, "[NDPI] missing protoId=%d/%s: INTERNAL ERROR: not all protocols have been initialized\n", + i, ndpi_mod->proto_defaults[i].protoName ? ndpi_mod->proto_defaults[i].protoName : "???"); } } } @@ -1837,22 +1865,26 @@ void set_ndpi_flow_malloc(void* (*__ndpi_flow_malloc)(size_t size)) { _ndpi_flow void set_ndpi_free(void (*__ndpi_free)(void *ptr)) { _ndpi_free = __ndpi_free; } void set_ndpi_flow_free(void (*__ndpi_flow_free)(void *ptr)) { _ndpi_flow_free = __ndpi_flow_free; } -void ndpi_debug_printf(unsigned int proto, struct ndpi_detection_module_struct *ndpi_str, ndpi_log_level_t log_level, const char * format, ...) +void ndpi_debug_printf(unsigned int proto, struct ndpi_detection_module_struct *ndpi_str, + ndpi_log_level_t log_level, const char *file_name, const char *func_name, int line_number, + const char * format, ...) { #ifdef NDPI_ENABLE_DEBUG_MESSAGES va_list args; #define MAX_STR_LEN 120 char str[MAX_STR_LEN]; + if(ndpi_str != NULL && log_level > NDPI_LOG_ERROR && + proto > 0 && proto < NDPI_MAX_SUPPORTED_PROTOCOLS && + !NDPI_ISSET(&ndpi_str->debug_bitmask,proto)) return; va_start(args, format); vsprintf(str, format, args); va_end(args); if (ndpi_str != NULL) { - char proto_name[64]; - snprintf(proto_name, sizeof(proto_name), "%s", ndpi_get_proto_name(ndpi_str, proto)); - printf("%s:%s:%u - Proto: %s, %s\n", ndpi_str->ndpi_debug_print_file, ndpi_str->ndpi_debug_print_function, ndpi_str->ndpi_debug_print_line, proto_name, str); + printf("%s:%s:%-3u - [%s]: %s", + file_name, func_name, line_number, ndpi_get_proto_name(ndpi_str, proto), str); } else { - printf("Proto: %u, %s\n", proto, str); + printf("Proto: %u, %s", proto, str); } #endif } @@ -1871,7 +1903,7 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) { if(ndpi_str == NULL) { #ifdef NDPI_ENABLE_DEBUG_MESSAGES - NDPI_LOG(0, ndpi_str, NDPI_LOG_DEBUG, "ndpi_init_detection_module initial malloc failed for ndpi_str\n"); + NDPI_LOG_ERR(ndpi_str, "ndpi_init_detection_module initial malloc failed for ndpi_str\n"); #endif /* NDPI_ENABLE_DEBUG_MESSAGES */ return NULL; } @@ -2166,7 +2198,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod, char* rule, at = strrchr(rule, '@'); if(at == NULL) { - printf("Invalid rule '%s'\n", rule); + NDPI_LOG_ERR(ndpi_mod, "Invalid rule '%s'\n", rule); return(-1); } else at[0] = 0, proto = &at[1]; @@ -2197,14 +2229,14 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod, char* rule, if(def == NULL) { if(!do_add) { /* We need to remove a rule */ - printf("Unable to find protocol '%s': skipping rule '%s'\n", proto, rule); + NDPI_LOG_ERR(ndpi_mod, "Unable to find protocol '%s': skipping rule '%s'\n", proto, rule); return(-3); } else { ndpi_port_range ports_a[MAX_DEFAULT_PORTS], ports_b[MAX_DEFAULT_PORTS]; u_int16_t no_master[2] = { NDPI_PROTOCOL_NO_MASTER_PROTO, NDPI_PROTOCOL_NO_MASTER_PROTO }; if(ndpi_mod->ndpi_num_custom_protocols >= (NDPI_MAX_NUM_CUSTOM_PROTOCOLS-1)) { - printf("Too many protocols defined (%u): skipping protocol %s\n", + NDPI_LOG_ERR(ndpi_mod, "Too many protocols defined (%u): skipping protocol %s\n", ndpi_mod->ndpi_num_custom_protocols, proto); return(-2); } @@ -2245,7 +2277,7 @@ int ndpi_handle_rule(struct ndpi_detection_module_struct *ndpi_mod, char* rule, if(sscanf(value, "%u-%u", (u_int32_t *)&range.port_low, (u_int32_t *)&range.port_high) != 2) range.port_low = range.port_high = atoi(&elem[4]); if(do_add) - addDefaultPort(&range, def, 1 /* Custom user proto */, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot); + addDefaultPort(ndpi_mod, &range, def, 1 /* Custom user proto */, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot, __FUNCTION__,__LINE__); else removeDefaultPort(&range, def, is_tcp ? &ndpi_mod->tcpRoot : &ndpi_mod->udpRoot); } else if(is_ip) { @@ -2280,7 +2312,7 @@ int ndpi_load_protocols_file(struct ndpi_detection_module_struct *ndpi_mod, char int i; if(fd == NULL) { - printf("Unable to open file %s [%s]", path, strerror(errno)); + NDPI_LOG_ERR(ndpi_mod, "Unable to open file %s [%s]", path, strerror(errno)); return(-1); } @@ -2320,14 +2352,18 @@ void ndpi_set_bitmask_protocol_detection(char * label, */ if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(*detection_bitmask, ndpi_protocol_id) != 0) { #ifdef DEBUG - NDPI_LOG(0, ndpi_struct, NDPI_LOG_DEBUG,"[NDPI] ndpi_set_bitmask_protocol_detection: %s : [callback_buffer] idx= %u, [proto_defaults] protocol_id=%u\n", label, idx, ndpi_protocol_id); + NDPI_LOG_DBG2(ndpi_struct + "[NDPI] ndpi_set_bitmask_protocol_detection: %s : [callback_buffer] idx= %u, [proto_defaults] protocol_id=%u\n", + label, idx, ndpi_protocol_id); #endif - if(ndpi_struct->proto_defaults[ndpi_protocol_id].protoIdx != 0) - printf("[NDPI] Internal error: protocol %s/%u has been already registered\n", label, ndpi_protocol_id); - else { + if(ndpi_struct->proto_defaults[ndpi_protocol_id].protoIdx != 0) { + NDPI_LOG_DBG2(ndpi_struct, + "[NDPI] Internal error: protocol %s/%u has been already registered\n", label, ndpi_protocol_id); #ifdef DEBUG - printf("[NDPI] Adding %s with protocol id %d\n", label, ndpi_protocol_id); + } else { + NDPI_LOG_DBG2(ndpi_struct, + "[NDPI] Adding %s with protocol id %d\n", label, ndpi_protocol_id); #endif } @@ -2810,7 +2846,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n ndpi_struct->callback_buffer_size = a; - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "callback_buffer_size is %u\n", ndpi_struct->callback_buffer_size); /* now build the specific buffer for tcp, udp and non_tcp_udp */ @@ -2821,7 +2857,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n & (NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP | NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, + if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, "callback_buffer_tcp_payload, adding buffer %u as entry %u\n", a, ndpi_struct->callback_buffer_size_tcp_payload); @@ -2831,7 +2867,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n if((ndpi_struct-> callback_buffer[a].ndpi_selection_bitmask & NDPI_SELECTION_BITMASK_PROTOCOL_HAS_PAYLOAD) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, + if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, "\tcallback_buffer_tcp_no_payload, additional adding buffer %u to no_payload process\n", a); memcpy(&ndpi_struct->callback_buffer_tcp_no_payload @@ -2848,7 +2884,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n NDPI_SELECTION_BITMASK_PROTOCOL_INT_TCP_OR_UDP | NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC)) != 0) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, + if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, "callback_buffer_size_udp: adding buffer : %u as entry %u\n", a, ndpi_struct->callback_buffer_size_udp); memcpy(&ndpi_struct->callback_buffer_udp[ndpi_struct->callback_buffer_size_udp], @@ -2865,7 +2901,7 @@ void ndpi_set_protocol_detection_bitmask2(struct ndpi_detection_module_struct *n == 0 || (ndpi_struct-> callback_buffer[a].ndpi_selection_bitmask & NDPI_SELECTION_BITMASK_PROTOCOL_COMPLETE_TRAFFIC) != 0) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, + if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, "callback_buffer_non_tcp_udp: adding buffer : %u as entry %u\n", a, ndpi_struct->callback_buffer_size_non_tcp_udp); memcpy(&ndpi_struct->callback_buffer_non_tcp_udp[ndpi_struct->callback_buffer_size_non_tcp_udp], @@ -2955,11 +2991,11 @@ static u_int8_t ndpi_detection_get_l4_internal(struct ndpi_detection_module_stru iph = (const struct ndpi_iphdr *) l3; if(iph->version == IPVERSION && iph->ihl >= 5) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, "ipv4 header\n"); + NDPI_LOG_DBG2(ndpi_struct, "ipv4 header\n"); } #ifdef NDPI_DETECTION_SUPPORT_IPV6 else if(iph->version == 6 && l3_len >= sizeof(struct ndpi_ipv6hdr)) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, "ipv6 header\n"); + NDPI_LOG_DBG2(ndpi_struct, "ipv6 header\n"); iph_v6 = (const struct ndpi_ipv6hdr *) iph; iph = NULL; } @@ -2969,12 +3005,12 @@ static u_int8_t ndpi_detection_get_l4_internal(struct ndpi_detection_module_stru } if((flags & NDPI_DETECTION_ONLY_IPV6) && iph != NULL) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, "ipv4 header found but excluded by flag\n"); + NDPI_LOG_DBG2(ndpi_struct, "ipv4 header found but excluded by flag\n"); return 1; } #ifdef NDPI_DETECTION_SUPPORT_IPV6 else if((flags & NDPI_DETECTION_ONLY_IPV4) && iph_v6 != NULL) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, "ipv6 header found but excluded by flag\n"); + NDPI_LOG_DBG2(ndpi_struct, "ipv6 header found but excluded by flag\n"); return 1; } #endif @@ -3073,12 +3109,12 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str #endif /* NDPI_DETECTION_SUPPORT_IPV6 */ if(decaps_iph && decaps_iph->version == IPVERSION && decaps_iph->ihl >= 5) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, "ipv4 header\n"); + NDPI_LOG_DBG2(ndpi_struct, "ipv4 header\n"); } #ifdef NDPI_DETECTION_SUPPORT_IPV6 else if(decaps_iph && decaps_iph->version == 6 && l3len >= sizeof(struct ndpi_ipv6hdr) && (ndpi_struct->ip_version_limit & NDPI_DETECTION_ONLY_IPV4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, "ipv6 header\n"); + NDPI_LOG_DBG2(ndpi_struct, "ipv6 header\n"); flow->packet.iphv6 = (struct ndpi_ipv6hdr *)flow->packet.iph; flow->packet.iph = NULL; } @@ -3130,9 +3166,8 @@ static int ndpi_init_packet_header(struct ndpi_detection_module_struct *ndpi_str && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { memset(flow, 0, sizeof(*(flow))); - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, - NDPI_LOG_DEBUG, - "%s:%u: tcp syn packet for unknown protocol, reset detection state\n", __FUNCTION__, __LINE__); + NDPI_LOG_DBG(ndpi_struct, + "tcp syn packet for unknown protocol, reset detection state\n"); } } else { @@ -3351,11 +3386,11 @@ void check_ndpi_udp_flow_func(struct ndpi_detection_module_struct *ndpi_struct, && NDPI_BITMASK_COMPARE(ndpi_struct->callback_buffer_udp[a].detection_bitmask, detection_bitmask) != 0) { ndpi_struct->callback_buffer_udp[a].func(ndpi_struct, flow); - // NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, "[UDP,CALL] dissector of protocol as callback_buffer idx = %d\n",a); + // NDPI_LOG_DBG(ndpi_struct, "[UDP,CALL] dissector of protocol as callback_buffer idx = %d\n",a); if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) break; /* Stop after detecting the first protocol */ } else - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, + if(_ndpi_debug_callbacks) NDPI_LOG_DBG2(ndpi_struct, "[UDP,SKIP] dissector of protocol as callback_buffer idx = %d\n",a); } } @@ -3560,6 +3595,9 @@ ndpi_protocol ndpi_detection_process_packet(struct ndpi_detection_module_struct u_int32_t a; ndpi_protocol ret = { NDPI_PROTOCOL_UNKNOWN, NDPI_PROTOCOL_UNKNOWN }; + if(ndpi_struct->ndpi_log_level >= NDPI_LOG_TRACE) + NDPI_LOG(flow ? flow->detected_protocol_stack[0]:NDPI_PROTOCOL_UNKNOWN, + ndpi_struct, NDPI_LOG_TRACE, "START packet processing\n"); if(flow == NULL) return(ret); @@ -3911,7 +3949,7 @@ void ndpi_parse_packet_line_info(struct ndpi_detection_module_struct *ndpi_struc flow->http.response_status_code[4]='\0'; - NDPI_LOG(NDPI_PROTOCOL_UNKNOWN, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "ndpi_parse_packet_line_info: HTTP response parsed: \"%.*s\"\n", packet->http_response.len, packet->http_response.ptr); } @@ -4138,13 +4176,13 @@ u_int16_t ndpi_check_for_email_address(struct ndpi_detection_module_struct *ndpi struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "called ndpi_check_for_email_address\n"); + NDPI_LOG_DBG2(ndpi_struct, "called ndpi_check_for_email_address\n"); if(packet->payload_packet_len > counter && ((packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') || (packet->payload[counter] >= 'A' && packet->payload[counter] <= 'Z') || (packet->payload[counter] >= '0' && packet->payload[counter] <= '9') || packet->payload[counter] == '-' || packet->payload[counter] == '_')) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "first letter\n"); + NDPI_LOG_DBG2(ndpi_struct, "first letter\n"); counter++; while (packet->payload_packet_len > counter && ((packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') @@ -4152,44 +4190,44 @@ u_int16_t ndpi_check_for_email_address(struct ndpi_detection_module_struct *ndpi || (packet->payload[counter] >= '0' && packet->payload[counter] <= '9') || packet->payload[counter] == '-' || packet->payload[counter] == '_' || packet->payload[counter] == '.')) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "further letter\n"); + NDPI_LOG_DBG2(ndpi_struct, "further letter\n"); counter++; if(packet->payload_packet_len > counter && packet->payload[counter] == '@') { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "@\n"); + NDPI_LOG_DBG2(ndpi_struct, "@\n"); counter++; while (packet->payload_packet_len > counter && ((packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') || (packet->payload[counter] >= 'A' && packet->payload[counter] <= 'Z') || (packet->payload[counter] >= '0' && packet->payload[counter] <= '9') || packet->payload[counter] == '-' || packet->payload[counter] == '_')) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "letter\n"); + NDPI_LOG_DBG2(ndpi_struct, "letter\n"); counter++; if(packet->payload_packet_len > counter && packet->payload[counter] == '.') { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, ".\n"); + NDPI_LOG_DBG2(ndpi_struct, ".\n"); counter++; if(packet->payload_packet_len > counter + 1 && ((packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') && (packet->payload[counter + 1] >= 'a' && packet->payload[counter + 1] <= 'z'))) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "two letters\n"); + NDPI_LOG_DBG2(ndpi_struct, "two letters\n"); counter += 2; if(packet->payload_packet_len > counter && (packet->payload[counter] == ' ' || packet->payload[counter] == ';')) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "whitespace1\n"); + NDPI_LOG_DBG2(ndpi_struct, "whitespace1\n"); return counter; } else if(packet->payload_packet_len > counter && packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "one letter\n"); + NDPI_LOG_DBG2(ndpi_struct, "one letter\n"); counter++; if(packet->payload_packet_len > counter && (packet->payload[counter] == ' ' || packet->payload[counter] == ';')) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "whitespace2\n"); + NDPI_LOG_DBG2(ndpi_struct, "whitespace2\n"); return counter; } else if(packet->payload_packet_len > counter && packet->payload[counter] >= 'a' && packet->payload[counter] <= 'z') { counter++; if(packet->payload_packet_len > counter && (packet->payload[counter] == ' ' || packet->payload[counter] == ';')) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "whitespace3\n"); + NDPI_LOG_DBG2(ndpi_struct, "whitespace3\n"); return counter; } else { return 0; @@ -4835,7 +4873,6 @@ int ndpi_get_protocol_id(struct ndpi_detection_module_struct *ndpi_mod, char *pr void ndpi_dump_protocols(struct ndpi_detection_module_struct *ndpi_mod) { int i; - for(i=0; i<(int)ndpi_mod->ndpi_num_supported_protocols; i++) printf("[%3d] %s\n", i, ndpi_mod->proto_defaults[i].protoName); } @@ -4941,7 +4978,7 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str strncpy(m, string_to_match, len); m[len] = '\0'; - printf("[NDPI] ndpi_match_host_subprotocol(%s): %s\n", + NDPI_LOG_DBG2(ndpi_struct, "[NDPI] ndpi_match_host_subprotocol(%s): %s\n", m, ndpi_struct->proto_defaults[matching_protocol_id].protoName); } #endif @@ -4959,7 +4996,7 @@ static int ndpi_automa_match_string_subprotocol(struct ndpi_detection_module_str #ifdef DEBUG string_to_match[string_to_match_len] = '\0'; - printf("[NTOP] Unable to find a match for '%s'\n", string_to_match); + NDPI_LOG_DBG2(ndpi_struct, "[NTOP] Unable to find a match for '%s'\n", string_to_match); #endif return(NDPI_PROTOCOL_UNKNOWN); @@ -5073,7 +5110,6 @@ int NDPI_BITMASK_IS_EMPTY(NDPI_PROTOCOL_BITMASK a) { void NDPI_DUMP_BITMASK(NDPI_PROTOCOL_BITMASK a) { int i; - for(i=0; ipacket; + NDPI_LOG_DBG(ndpi_struct, "search AFP\n"); + if (packet->payload_packet_len >= sizeof(struct afpHeader)) { struct afpHeader *h = (struct afpHeader*)packet->payload; @@ -64,7 +70,7 @@ void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct nd get_u_int32_t(packet->payload, 8) == htonl(packet->payload_packet_len - 16) && get_u_int32_t(packet->payload, 12) == 0 && get_u_int16_t(packet->payload, 16) == htons(0x0104)) { - NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI OpenSession detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found AFP: DSI OpenSession\n"); ndpi_int_afp_add_connection(ndpi_struct, flow); return; } @@ -73,14 +79,13 @@ void ndpi_search_afp(struct ndpi_detection_module_struct *ndpi_struct, struct nd && ((h->command >= 1) && (h->command <= 8)) && (h->reserved == 0) && (packet->payload_packet_len >= (sizeof(struct afpHeader)+ntohl(h->length)))) { - NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP: DSI detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found AFP: DSI\n"); ndpi_int_afp_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_AFP, ndpi_struct, NDPI_LOG_DEBUG, "AFP excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AFP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/aimini.c b/src/lib/protocols/aimini.c index 147762815..fb439f817 100644 --- a/src/lib/protocols/aimini.c +++ b/src/lib/protocols/aimini.c @@ -23,10 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_AIMINI +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AIMINI + +#include "ndpi_api.h" + static void ndpi_int_aimini_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ /* ndpi_protocol_type_t protocol_type */) @@ -50,43 +54,40 @@ static u_int8_t is_special_aimini_host(struct ndpi_int_one_line_struct host_line void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "search aimini.\n"); + NDPI_LOG_DBG(ndpi_struct, "search aimini\n"); if (packet->udp != NULL) { if (flow->l4.udp.aimini_stage == 0) { if (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) { flow->l4.udp.aimini_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 1.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 1\n"); return; } if (packet->payload_packet_len == 136 && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { flow->l4.udp.aimini_stage = 4; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 4.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 4\n"); return; } if (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { flow->l4.udp.aimini_stage = 7; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 7.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 7\n"); return; } if (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { flow->l4.udp.aimini_stage = 10; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 10.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 10\n"); return; } if (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { flow->l4.udp.aimini_stage = 13; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 13.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 13\n"); return; } if (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { flow->l4.udp.aimini_stage = 16; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 16.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 16\n"); return; } } @@ -96,7 +97,7 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct if (flow->l4.udp.aimini_stage == 1 && packet->payload_packet_len > 100 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115) { flow->l4.udp.aimini_stage = 2; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 2.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 2\n"); return; } if (flow->l4.udp.aimini_stage == 2 && @@ -104,14 +105,14 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 0) == htons(0x010b)) || (packet->payload_packet_len == 88 && get_u_int16_t(packet->payload, 0) == ntohs(0x0115)))) { flow->l4.udp.aimini_stage = 3; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 3.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 3\n"); return; } if (flow->l4.udp.aimini_stage == 3 && ((packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) || (packet->payload_packet_len == 64 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010b) || (packet->payload_packet_len > 100 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0115))) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "found aimini (64, 0x010b), (>300, 0x0115), " + NDPI_LOG_INFO(ndpi_struct, "found aimini (64, 0x010b), (>300, 0x0115), " "(16, 0x010c || 64, 0x010b), (16, 0x010c || 64, 0x010b || >100, 0x0115).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; @@ -122,14 +123,14 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct if (flow->l4.udp.aimini_stage == 4 && packet->payload_packet_len == 136 && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165)) { flow->l4.udp.aimini_stage = 5; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 5.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 5\n"); return; } if (flow->l4.udp.aimini_stage == 5 && (packet->payload_packet_len == 136 && (ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9 || ntohs(get_u_int16_t(packet->payload, 0)) == 0x0165))) { flow->l4.udp.aimini_stage = 6; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 6.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 6\n"); return; } if (flow->l4.udp.aimini_stage == 6 && ((packet->payload_packet_len == 136 @@ -137,7 +138,7 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct || ntohs(get_u_int16_t(packet->payload, 0)) == 0x01c9)) || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found aimini (136, 0x01c9), (136, 0x01c9)," "(136, 0x01c9),(136, 0x01c9 || 32, 0x01ca).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; @@ -148,18 +149,18 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct if (flow->l4.udp.aimini_stage == 7 && packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101) { flow->l4.udp.aimini_stage = 8; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 8.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 8\n"); return; } if (flow->l4.udp.aimini_stage == 8 && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { flow->l4.udp.aimini_stage = 9; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 9.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 9\n"); return; } if (flow->l4.udp.aimini_stage == 9 && (packet->payload_packet_len == 88 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0101)) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found aimini (88, 0x0101), (88, 0x0101)," "(88, 0x0101),(88, 0x0101).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; @@ -170,19 +171,19 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct if (flow->l4.udp.aimini_stage == 10 && packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) { flow->l4.udp.aimini_stage = 11; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 11.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 11\n"); return; } if (flow->l4.udp.aimini_stage == 11 && (packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102)) { flow->l4.udp.aimini_stage = 12; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 12.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 12\n"); return; } if (flow->l4.udp.aimini_stage == 12 && ((packet->payload_packet_len == 104 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0102) || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found aimini (104, 0x0102), (104, 0x0102), " "(104, 0x0102), (104, 0x0102).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; @@ -193,20 +194,20 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct if (flow->l4.udp.aimini_stage == 13 && packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) { flow->l4.udp.aimini_stage = 14; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 14.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 14\n"); return; } if (flow->l4.udp.aimini_stage == 14 && ((packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca) || (packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166))) { flow->l4.udp.aimini_stage = 15; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 15.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 15\n"); return; } if (flow->l4.udp.aimini_stage == 15 && ((packet->payload_packet_len == 136 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0166) || (packet->payload_packet_len == 32 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x01ca))) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found aimini (32,0x01ca), (32,0x01ca), (32,0x01ca), ((136, 0x0166)||(32,0x01ca)).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; @@ -217,18 +218,18 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct if (flow->l4.udp.aimini_stage == 16 && packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c) { flow->l4.udp.aimini_stage = 17; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 17.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 17\n"); return; } if (flow->l4.udp.aimini_stage == 17 && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { flow->l4.udp.aimini_stage = 18; - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "stage = 18.\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage = 18\n"); return; } if (flow->l4.udp.aimini_stage == 18 && (packet->payload_packet_len == 16 && ntohs(get_u_int16_t(packet->payload, 0)) == 0x010c)) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found aimini (16, 0x010c), (16, 0x010c), (16, 0x010c), (16, 0x010c).\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; @@ -238,11 +239,11 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct (memcmp(packet->payload, "GET /player/", NDPI_STATICSTRING_LEN("GET /player/")) == 0)) || (packet->payload_packet_len > NDPI_STATICSTRING_LEN("GET /play/?fid=") && (memcmp(packet->payload, "GET /play/?fid=", NDPI_STATICSTRING_LEN("GET /play/?fid=")) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); + NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->host_line.ptr != NULL && packet->host_line.len > 11 && (memcmp(&packet->host_line.ptr[packet->host_line.len - 11], ".aimini.net", 11) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "AIMINI HTTP traffic detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found AIMINI HTTP traffic\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; } @@ -255,8 +256,8 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct NDPI_STATICSTRING_LEN("download/")) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (is_special_aimini_host(packet->host_line) == 1) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, - "AIMINI HTTP traffic detected.\n"); + NDPI_LOG_INFO(ndpi_struct, + "found AIMINI HTTP traffic\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; } @@ -266,8 +267,8 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct NDPI_STATICSTRING_LEN("upload/")) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (is_special_aimini_host(packet->host_line) == 1) { - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, - "AIMINI HTTP traffic detected.\n"); + NDPI_LOG_INFO(ndpi_struct, + "found AIMINI HTTP traffic detected.\n"); ndpi_int_aimini_add_connection(ndpi_struct, flow); return; } @@ -276,8 +277,7 @@ void ndpi_search_aimini(struct ndpi_detection_module_struct *ndpi_struct, struct } } - NDPI_LOG(NDPI_PROTOCOL_AIMINI, ndpi_struct, NDPI_LOG_DEBUG, "exclude aimini.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AIMINI); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/amqp.c b/src/lib/protocols/amqp.c index 72bbc0a38..6b530c16d 100644 --- a/src/lib/protocols/amqp.c +++ b/src/lib/protocols/amqp.c @@ -18,10 +18,15 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_AMQP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AMQP + +#include "ndpi_api.h" + + PACK_ON struct amqp_header { u_int8_t ptype; @@ -39,7 +44,7 @@ static void ndpi_int_amqp_add_connection(struct ndpi_detection_module_struct *nd void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_AMQP, ndpi_struct, NDPI_LOG_DEBUG, "search amqp. \n"); + NDPI_LOG_DBG(ndpi_struct, "search amqp\n"); if (packet->tcp != NULL) { if(packet->payload_packet_len > sizeof(struct amqp_header)) { @@ -57,7 +62,7 @@ void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, struct n u_int16_t method = htons(h->method); if(method <= 120 /* Method basic NACK */) { - NDPI_LOG(NDPI_PROTOCOL_AMQP, ndpi_struct, NDPI_LOG_DEBUG, "found amqp over tcp. \n"); + NDPI_LOG_INFO(ndpi_struct, "found amqp over tcp\n"); ndpi_int_amqp_add_connection(ndpi_struct, flow); return; } @@ -65,6 +70,8 @@ void ndpi_search_amqp(struct ndpi_detection_module_struct *ndpi_struct, struct n } } } + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/applejuice.c b/src/lib/protocols/applejuice.c index a7ef0ce65..a80c39d7f 100644 --- a/src/lib/protocols/applejuice.c +++ b/src/lib/protocols/applejuice.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_APPLEJUICE +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_APPLEJUICE + +#include "ndpi_api.h" + static void ndpi_int_applejuice_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -37,21 +41,18 @@ void ndpi_search_applejuice_tcp(struct ndpi_detection_module_struct *ndpi_struct struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_APPLEJUICE, ndpi_struct, NDPI_LOG_DEBUG, "search applejuice.\n"); + NDPI_LOG_DBG(ndpi_struct, "search applejuice\n"); if ((packet->payload_packet_len > 7) && (packet->payload[6] == 0x0d) && (packet->payload[7] == 0x0a) && (memcmp(packet->payload, "ajprot", 6) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_APPLEJUICE, ndpi_struct, NDPI_LOG_DEBUG, "detected applejuice.\n"); + NDPI_LOG_INFO(ndpi_struct, "found applejuice\n"); ndpi_int_applejuice_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_APPLEJUICE, ndpi_struct, NDPI_LOG_DEBUG, "exclude applejuice.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_APPLEJUICE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/armagetron.c b/src/lib/protocols/armagetron.c index 61a32326e..7f4fb9ec0 100644 --- a/src/lib/protocols/armagetron.c +++ b/src/lib/protocols/armagetron.c @@ -22,27 +22,26 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_ARMAGETRON +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ARMAGETRON + +#include "ndpi_api.h" + static void ndpi_int_armagetron_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ARMAGETRON, NDPI_PROTOCOL_UNKNOWN); } void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_ARMAGETRON, ndpi_struct, NDPI_LOG_DEBUG, "search armagetron.\n"); + NDPI_LOG_DBG(ndpi_struct, "search armagetron\n"); if (packet->payload_packet_len > 10) { /* login request */ @@ -52,7 +51,7 @@ void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct goto exclude; if (get_u_int16_t(packet->payload, 6) == htons(0x0008) && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ARMAGETRON, ndpi_struct, NDPI_LOG_DEBUG, "detected armagetron.\n"); + NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); ndpi_int_armagetron_add_connection(ndpi_struct, flow); return; } @@ -65,7 +64,7 @@ void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct goto exclude; if (get_u_int32_t(packet->payload, 6) == htonl(0x00000500) && get_u_int32_t(packet->payload, 6 + 4) == htonl(0x00010000) && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ARMAGETRON, ndpi_struct, NDPI_LOG_DEBUG, "detected armagetron.\n"); + NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); ndpi_int_armagetron_add_connection(ndpi_struct, flow); return; } @@ -85,7 +84,7 @@ void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct && (get_u_int32_t(packet->payload, 6 + 10 + val) == htonl(0x00010000) || get_u_int32_t(packet->payload, 6 + 10 + val) == htonl(0x00000001)) && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ARMAGETRON, ndpi_struct, NDPI_LOG_DEBUG, "detected armagetron.\n"); + NDPI_LOG_INFO(ndpi_struct, "found armagetron\n"); ndpi_int_armagetron_add_connection(ndpi_struct, flow); return; } @@ -94,8 +93,7 @@ void ndpi_search_armagetron_udp(struct ndpi_detection_module_struct *ndpi_struct } exclude: - NDPI_LOG(NDPI_PROTOCOL_ARMAGETRON, ndpi_struct, NDPI_LOG_DEBUG, "exclude armagetron.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ARMAGETRON); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/ayiya.c b/src/lib/protocols/ayiya.c index 6e5401093..bc993cfe3 100644 --- a/src/lib/protocols/ayiya.c +++ b/src/lib/protocols/ayiya.c @@ -26,10 +26,14 @@ http://tools.ietf.org/html/rfc4891 */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_AYIYA +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_AYIYA + +#include "ndpi_api.h" + struct ayiya { u_int8_t flags[3]; u_int8_t next_header; @@ -42,6 +46,8 @@ void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search AYIYA\n"); + if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) { /* Ayiya is udp based, port 5072 */ if ((packet->udp->source == htons(5072) || packet->udp->dest == htons(5072)) @@ -55,13 +61,15 @@ void ndpi_search_ayiya(struct ndpi_detection_module_struct *ndpi_struct, struct now = flow->packet.tick_timestamp; - if((epoch >= (now - fiveyears)) && (epoch <= (now+86400 /* 1 day */))) + if((epoch >= (now - fiveyears)) && (epoch <= (now+86400 /* 1 day */))) { + NDPI_LOG_INFO(ndpi_struct, "found AYIYA\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_AYIYA, NDPI_PROTOCOL_UNKNOWN); + } return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_AYIYA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/battlefield.c b/src/lib/protocols/battlefield.c index 6087e67a4..23a3749b2 100644 --- a/src/lib/protocols/battlefield.c +++ b/src/lib/protocols/battlefield.c @@ -22,10 +22,13 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_BATTLEFIELD +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BATTLEFIELD + +#include "ndpi_api.h" static void ndpi_int_battlefield_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -53,12 +56,12 @@ void ndpi_search_battlefield(struct ndpi_detection_module_struct *ndpi_struct, s if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_BATTLEFIELD) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->battlefield_ts) < ndpi_struct->battlefield_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_BATTLEFIELD, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "battlefield : save src connection packet detected\n"); src->battlefield_ts = packet->tick_timestamp; } else if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->battlefield_ts) < ndpi_struct->battlefield_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_BATTLEFIELD, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "battlefield : save dst connection packet detected\n"); dst->battlefield_ts = packet->tick_timestamp; } @@ -74,8 +77,7 @@ void ndpi_search_battlefield(struct ndpi_detection_module_struct *ndpi_struct, s } } else if (flow->l4.udp.battlefield_stage == 2 - packet->packet_direction) { if (packet->payload_packet_len > 8 && get_u_int32_t(packet->payload, 0) == flow->l4.udp.battlefield_msg_id) { - NDPI_LOG(NDPI_PROTOCOL_BATTLEFIELD, ndpi_struct, - NDPI_LOG_DEBUG, "Battlefield message and reply detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Battlefield message and reply detected\n"); ndpi_int_battlefield_add_connection(ndpi_struct, flow); return; } @@ -91,28 +93,26 @@ void ndpi_search_battlefield(struct ndpi_detection_module_struct *ndpi_struct, s } else if (flow->l4.udp.battlefield_stage == 4 - packet->packet_direction) { if (packet->payload_packet_len == 7 && (packet->payload[0] == 0x02 || packet->payload[packet->payload_packet_len - 1] == 0xe0)) { - NDPI_LOG(NDPI_PROTOCOL_BATTLEFIELD, ndpi_struct, NDPI_LOG_DEBUG, - "Battlefield message and reply detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Battlefield message and reply detected\n"); ndpi_int_battlefield_add_connection(ndpi_struct, flow); return; } } if (packet->payload_packet_len == 18 && memcmp(&packet->payload[5], "battlefield2\x00", 13) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BATTLEFIELD, ndpi_struct, NDPI_LOG_DEBUG, "Battlefield 2 hello packet detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Battlefield 2 hello packet detected\n"); ndpi_int_battlefield_add_connection(ndpi_struct, flow); return; } else if (packet->payload_packet_len > 10 && (memcmp(packet->payload, "\x11\x20\x00\x01\x00\x00\x50\xb9\x10\x11", 10) == 0 || memcmp(packet->payload, "\x11\x20\x00\x01\x00\x00\x30\xb9\x10\x11", 10) == 0 || memcmp(packet->payload, "\x11\x20\x00\x01\x00\x00\xa0\x98\x00\x11", 10) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_BATTLEFIELD, ndpi_struct, NDPI_LOG_DEBUG, "Battlefield safe pattern detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Battlefield safe pattern detected\n"); ndpi_int_battlefield_add_connection(ndpi_struct, flow); return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BATTLEFIELD); - return; + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/bgp.c b/src/lib/protocols/bgp.c index a45514b7d..f7896968b 100644 --- a/src/lib/protocols/bgp.c +++ b/src/lib/protocols/bgp.c @@ -20,16 +20,24 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_BGP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BGP + +#include "ndpi_api.h" + + /* this detection also works asymmetrically */ void ndpi_search_bgp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int16_t bgp_port = htons(179); + NDPI_LOG_DBG(ndpi_struct, "search BGP\n"); + if(packet->tcp) { if(packet->payload_packet_len > 18 && packet->payload[18] < 5 @@ -38,13 +46,13 @@ void ndpi_search_bgp(struct ndpi_detection_module_struct *ndpi_struct, struct nd && (get_u_int64_t(packet->payload, 8) == 0xffffffffffffffffULL) && (ntohs(get_u_int16_t(packet->payload, 16)) <= packet->payload_packet_len)) { - NDPI_LOG(NDPI_PROTOCOL_BGP, ndpi_struct, NDPI_LOG_DEBUG, "BGP detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found BGP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_BGP, NDPI_PROTOCOL_UNKNOWN); return; } } - /* exclude BGP */ - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BGP); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/bittorrent.c b/src/lib/protocols/bittorrent.c index a3eef585c..727992702 100644 --- a/src/lib/protocols/bittorrent.c +++ b/src/lib/protocols/bittorrent.c @@ -23,8 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_BITTORRENT + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BITTORRENT + +#include "ndpi_api.h" + #define NDPI_PROTOCOL_UNSAFE_DETECTION 0 #define NDPI_PROTOCOL_SAFE_DETECTION 1 @@ -87,10 +93,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module if(flow->packet_counter == 2 && packet->payload_packet_len > 20) { if(memcmp(&packet->payload[0], "BitTorrent protocol", 19) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, - ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 19, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -99,19 +104,18 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* test for match 0x13+"BitTorrent protocol" */ if(packet->payload[0] == 0x13) { if(memcmp(&packet->payload[1], "BitTorrent protocol", 19) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, 20, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } } if(packet->payload_packet_len > 23 && memcmp(packet->payload, "GET /webseed?info_hash=", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "BT: plain webseed BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain webseed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } /* seen Azureus as server for webseed, possibly other servers existing, to implement */ @@ -119,10 +123,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* no asymmetric detection possible for answer of pattern "GET /data?fid=". */ if(packet->payload_packet_len > 60 && memcmp(packet->payload, "GET /data?fid=", 14) == 0 && memcmp(&packet->payload[54], "&size=", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "BT: plain Bitcomet persistent seed protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain Bitcomet persistent seed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } @@ -140,10 +143,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && ((packet->user_agent_line.len > 8 && memcmp(packet->user_agent_line.ptr, "Azureus ", 8) == 0) || (packet->user_agent_line.len >= 10 && memcmp(packet->user_agent_line.ptr, "BitTorrent", 10) == 0) || (packet->user_agent_line.len >= 11 && memcmp(packet->user_agent_line.ptr, "BTWebClient", 11) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "Azureus /Bittorrent user agent line detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Azureus /Bittorrent user agent\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } @@ -151,10 +153,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && (packet->user_agent_line.len >= 9 && memcmp(packet->user_agent_line.ptr, "Shareaza ", 9) == 0) && (packet->parsed_lines > 8 && packet->line[8].ptr != 0 && packet->line[8].len >= 9 && memcmp(packet->line[8].ptr, "X-Queue: ", 9) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "Bittorrent Shareaza detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Shareaza detected\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } @@ -186,9 +187,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && packet->line[8].ptr != NULL && packet->line[8].len > 22 && memcmp(packet->line[8].ptr, "Cache-Control: no-cache", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "Bitcomet LTS detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Bitcomet LTS\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -211,9 +212,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && packet->line[6].ptr != NULL && packet->line[6].len > 21 && memcmp(packet->line[6].ptr, "Connection: Keep-Alive", 22) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "FlashGet detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -232,9 +233,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module && packet->line[5].ptr != NULL && packet->line[5].len > 21 && memcmp(packet->line[5].ptr, "Connection: Keep-Alive", 22) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_TRACE, "FlashGet detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: FlashGet\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_UNSAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -250,8 +251,7 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module ptr++; } - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, " BT stat: tracker info hash found\n"); + NDPI_LOG_DBG2(ndpi_struct, " BT stat: tracker info hash found\n"); /* len is > 50, so save operation here */ len -= 10; @@ -300,10 +300,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module } } - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, " BT stat: tracker info hash parsed\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: tracker info hash parsed\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } @@ -329,10 +328,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* did not see this pattern anywhere */ if((memcmp(&packet->payload[0], pattern_20_bytes, 20) == 0) && (memcmp(&packet->payload[52], pattern_12_bytes, 12) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, - NDPI_LOG_TRACE, "BT: Warez - Plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return 1; } } @@ -344,11 +342,9 @@ static u_int8_t ndpi_int_search_bittorrent_tcp_zero(struct ndpi_detection_module /* haven't fount this pattern anywhere */ if(packet->host_line.ptr != NULL && packet->host_line.len >= 9 && memcmp(packet->host_line.ptr, "ip2p.com:", 9) == 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, - ndpi_struct, NDPI_LOG_TRACE, - "BT: Warez - Plain BitTorrent protocol detected due to Host: ip2p.com: pattern\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: Warez - Plain Host: ip2p.com: pattern\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 1, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_WEBSEED_DETECTION); return 1; } } @@ -370,13 +366,11 @@ static void ndpi_int_search_bittorrent_tcp(struct ndpi_detection_module_struct * /* exclude stage 0 detection from next run */ flow->bittorrent_stage = 1; if(ndpi_int_search_bittorrent_tcp_zero(ndpi_struct, flow) != 0) { - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_DEBUG, - "stage 0 has detected something, returning\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage 0 has detected something, returning\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, ndpi_struct, NDPI_LOG_DEBUG, - "stage 0 has no direct detection, fall through\n"); + NDPI_LOG_DBG2(ndpi_struct, "stage 0 has no direct detection, fall through\n"); } return; } @@ -392,7 +386,7 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st || (packet->udp && ((ntohs(packet->udp->source) == 3544) /* teredo.c */ || (ntohs(packet->udp->dest) == 3544))))) { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BITTORRENT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -481,18 +475,16 @@ void ndpi_search_bittorrent(struct ndpi_detection_module_struct *ndpi_struct, st if(bt_proto && (packet->payload_packet_len > 47)) memcpy(flow->protos.bittorrent.hash, &bt_proto[27], 20); - NDPI_LOG(NDPI_PROTOCOL_BITTORRENT, - ndpi_struct, NDPI_LOG_TRACE, "BT: plain BitTorrent protocol detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found BT: plain\n"); ndpi_add_connection_as_bittorrent(ndpi_struct, flow, -1, 0, - NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); + NDPI_PROTOCOL_SAFE_DETECTION, NDPI_PROTOCOL_PLAIN_DETECTION); return; } } return; } - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BITTORRENT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } } diff --git a/src/lib/protocols/bjnp.c b/src/lib/protocols/bjnp.c index 28ddede05..f9f690308 100644 --- a/src/lib/protocols/bjnp.c +++ b/src/lib/protocols/bjnp.c @@ -1,7 +1,10 @@ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_BJNP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_BJNP + +#include "ndpi_api.h" static void ndpi_int_bjnp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, @@ -23,22 +26,21 @@ static void ndpi_check_bjnp(struct ndpi_detection_module_struct *ndpi_struct, st || (memcmp((const char *)packet->payload, "BJNB", 4) == 0) || (memcmp((const char *)packet->payload, "MFNP", 4) == 0) ) { - NDPI_LOG(NDPI_PROTOCOL_BJNP, ndpi_struct, NDPI_LOG_DEBUG, "Found bjnp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found bjnp\n"); ndpi_int_bjnp_add_connection(ndpi_struct, flow, 0); return; } } } - NDPI_LOG(NDPI_PROTOCOL_BJNP, ndpi_struct, NDPI_LOG_DEBUG, "exclude bjnp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_BJNP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_bjnp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_BJNP, ndpi_struct, NDPI_LOG_DEBUG, "bjnp detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search bjnp\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_BJNP) { diff --git a/src/lib/protocols/btlib.c b/src/lib/protocols/btlib.c index 4d44198d1..66d9654bc 100644 --- a/src/lib/protocols/btlib.c +++ b/src/lib/protocols/btlib.c @@ -181,8 +181,8 @@ static void _print_safe_str(char *msg,char *k,const u_int8_t *s,size_t l) { static void print_safe_str(char *msg,bt_parse_data_cb_t *cbd) { _print_safe_str(msg,cbd->buf,cbd->v.s.s,cbd->v.s.l); } - #define DEBUG_TRACE(cmd) { if(bt_parse_debug) cmd; } + #define STREQ(a,b) !strcmp(a,b) diff --git a/src/lib/protocols/ciscovpn.c b/src/lib/protocols/ciscovpn.c index 6c2fc1829..e04fba936 100644 --- a/src/lib/protocols/ciscovpn.c +++ b/src/lib/protocols/ciscovpn.c @@ -4,10 +4,15 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_CISCOVPN +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CISCOVPN + +#include "ndpi_api.h" + + static void ndpi_int_ciscovpn_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CISCOVPN, NDPI_PROTOCOL_UNKNOWN); @@ -20,15 +25,15 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru u_int16_t tdport = 0, tsport = 0; - NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "search CISCOVPN.\n"); + NDPI_LOG_DBG(ndpi_struct, "search CISCOVPN\n"); if(packet->tcp != NULL) { tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest); - NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "calculated CISCOVPN over tcp ports.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over tcp ports\n"); } if(packet->udp != NULL) { usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest); - NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "calculated CISCOVPN over udp ports.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculated CISCOVPN over udp ports\n"); } if((tdport == 10000 && tsport == 10000) || @@ -42,8 +47,9 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru { /* This is a good query 17010000*/ - NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "found CISCOVPN.\n"); + NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n"); ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); + return; } else if( ( @@ -59,11 +65,10 @@ void ndpi_search_ciscovpn(struct ndpi_detection_module_struct *ndpi_struct, stru /* This is a good query fe577e2b */ - NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "found CISCOVPN.\n"); + NDPI_LOG_INFO(ndpi_struct, "found CISCOVPN\n"); ndpi_int_ciscovpn_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_CISCOVPN, ndpi_struct, NDPI_LOG_DEBUG, "exclude CISCOVPN.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CISCOVPN); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/citrix.c b/src/lib/protocols/citrix.c index 92607579c..7d6406bff 100644 --- a/src/lib/protocols/citrix.c +++ b/src/lib/protocols/citrix.c @@ -21,10 +21,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_CITRIX + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CITRIX #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_CITRIX /* ************************************ */ @@ -45,26 +49,25 @@ static void ndpi_check_citrix(struct ndpi_detection_module_struct *ndpi_struct, char citrix_header[] = { 0x07, 0x07, 0x49, 0x43, 0x41, 0x00 }; if(memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) { - NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n"); + NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN); } - return; } else if(payload_len > 4) { char citrix_header[] = { 0x1a, 0x43, 0x47, 0x50, 0x2f, 0x30, 0x31 }; if((memcmp(packet->payload, citrix_header, sizeof(citrix_header)) == 0) || (ndpi_strnstr((const char *)packet->payload, "Citrix.TcpProxyService", payload_len) != NULL)) { - NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "Found citrix.\n"); + NDPI_LOG_INFO(ndpi_struct, "found citrix\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CITRIX, NDPI_PROTOCOL_UNKNOWN); } - return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CITRIX); - } else if(flow->l4.tcp.citrix_packet_id > 3) - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CITRIX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } else if(flow->l4.tcp.citrix_packet_id > 3) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } return; } @@ -74,7 +77,7 @@ void ndpi_search_citrix(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_CITRIX, ndpi_struct, NDPI_LOG_DEBUG, "citrix detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search citrix\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_CITRIX) diff --git a/src/lib/protocols/coap.c b/src/lib/protocols/coap.c index 252ffc9c4..288d15f23 100644 --- a/src/lib/protocols/coap.c +++ b/src/lib/protocols/coap.c @@ -21,10 +21,15 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_COAP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COAP + +#include "ndpi_api.h" + + #define CON 0 #define NO_CON 1 #define ACK 2 @@ -116,14 +121,12 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, u_int16_t d_port = ntohs(flow->packet.udp->dest); if((!isCoAPport(s_port) && !isCoAPport(d_port)) - || (packet->payload_packet_len < 4) // header too short - ) { - NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "excluding Coap\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); + || (packet->payload_packet_len < 4) ) { // header too short + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "calculating coap over udp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating coap over udp\n"); // check values in header if(h->version == 1) { @@ -133,7 +136,7 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, (h->code >= 128 && h->code <= 134) || (h->code >= 140 && h->code <= 143) || (h->code >= 160 && h->code <= 165)) { - NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Coap found...\n"); + NDPI_LOG_INFO(ndpi_struct, "found Coap\n"); ndpi_int_coap_add_connection(ndpi_struct,flow); return; } @@ -142,8 +145,7 @@ void ndpi_search_coap (struct ndpi_detection_module_struct *ndpi_struct, } } - NDPI_LOG(NDPI_PROTOCOL_COAP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Coap ...\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COAP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/collectd.c b/src/lib/protocols/collectd.c index 7e6227980..2d4a06bb3 100644 --- a/src/lib/protocols/collectd.c +++ b/src/lib/protocols/collectd.c @@ -19,16 +19,21 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_COLLECTD +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_COLLECTD + +#include "ndpi_api.h" + + void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; u_int len = 0; - NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "search collectd.\n"); + NDPI_LOG_DBG(ndpi_struct, "search collectd\n"); if (packet->udp == NULL) return; @@ -43,11 +48,10 @@ void ndpi_search_collectd(struct ndpi_detection_module_struct *ndpi_struct, stru } if(len == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "found COLLECTD.\n"); + NDPI_LOG_INFO(ndpi_struct, "found COLLECTD\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_COLLECTD, NDPI_PROTOCOL_UNKNOWN); } else { - NDPI_LOG(NDPI_PROTOCOL_COLLECTD, ndpi_struct, NDPI_LOG_DEBUG, "exclude COLLECTD.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_COLLECTD); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/corba.c b/src/lib/protocols/corba.c index c16accc59..94e9f324a 100644 --- a/src/lib/protocols/corba.c +++ b/src/lib/protocols/corba.c @@ -18,10 +18,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_CORBA + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CORBA #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_CORBA static void ndpi_int_corba_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -31,18 +35,17 @@ void ndpi_search_corba(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "search for CORBA.\n"); + NDPI_LOG_DBG(ndpi_struct, "search for CORBA\n"); if(packet->tcp != NULL) { - NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "calculating CORBA over tcp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating CORBA over tcp\n"); /* Corba General Inter-ORB Protocol -> GIOP */ if ((packet->payload_packet_len >= 24 && packet->payload_packet_len <= 144) && memcmp(packet->payload, "GIOP", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "found corba.\n"); + NDPI_LOG_INFO(ndpi_struct, "found corba\n"); ndpi_int_corba_add_connection(ndpi_struct, flow); } } else { - NDPI_LOG(NDPI_PROTOCOL_CORBA, ndpi_struct, NDPI_LOG_DEBUG, "exclude CORBA.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CORBA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/crossfire.c b/src/lib/protocols/crossfire.c index 5dfddf5c3..ea1dce66a 100644 --- a/src/lib/protocols/crossfire.c +++ b/src/lib/protocols/crossfire.c @@ -21,11 +21,14 @@ * */ +#include "ndpi_protocol_ids.h" -/* include files */ -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_CROSSFIRE +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CROSSFIRE + +#include "ndpi_api.h" + static void ndpi_int_crossfire_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) @@ -37,21 +40,17 @@ static void ndpi_int_crossfire_add_connection(struct ndpi_detection_module_struc void ndpi_search_crossfire_tcp_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_CROSSFIRE, ndpi_struct, NDPI_LOG_DEBUG, "search crossfire.\n"); + NDPI_LOG_DBG(ndpi_struct, "search crossfire\n"); if (packet->udp != 0) { - if (packet->payload_packet_len == 25 && get_u_int32_t(packet->payload, 0) == ntohl(0xc7d91999) + if (packet->payload_packet_len == 25 + && get_u_int32_t(packet->payload, 0) == ntohl(0xc7d91999) && get_u_int16_t(packet->payload, 4) == ntohs(0x0200) - && get_u_int16_t(packet->payload, 22) == ntohs(0x7d00) - ) { - NDPI_LOG(NDPI_PROTOCOL_CROSSFIRE, ndpi_struct, NDPI_LOG_DEBUG, "Crossfire: found udp packet.\n"); - ndpi_int_crossfire_add_connection(ndpi_struct, flow); - return; + && get_u_int16_t(packet->payload, 22) == ntohs(0x7d00)) { + NDPI_LOG_INFO(ndpi_struct, "found Crossfire: udp packet\n"); + ndpi_int_crossfire_add_connection(ndpi_struct, flow); + return; } } else if (packet->tcp != 0) { @@ -67,16 +66,15 @@ void ndpi_search_crossfire_tcp_udp(struct ndpi_detection_module_struct *ndpi_str && (memcmp(packet->host_line.ptr, "crossfire", 9) == 0 || memcmp(packet->host_line.ptr, "www.crossfire", 13) == 0)) ) { - NDPI_LOG(NDPI_PROTOCOL_CROSSFIRE, ndpi_struct, NDPI_LOG_DEBUG, "Crossfire: found HTTP request.\n"); - ndpi_int_crossfire_add_connection(ndpi_struct, flow); - return; + NDPI_LOG_DBG(ndpi_struct, "found Crossfire: HTTP request\n"); + ndpi_int_crossfire_add_connection(ndpi_struct, flow); + return; } } } - NDPI_LOG(NDPI_PROTOCOL_CROSSFIRE, ndpi_struct, NDPI_LOG_DEBUG, "exclude crossfire.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CROSSFIRE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/csgo.c b/src/lib/protocols/csgo.c index 14073aef7..3bf0b4fe9 100644 --- a/src/lib/protocols/csgo.c +++ b/src/lib/protocols/csgo.c @@ -20,49 +20,51 @@ * along with nDPI. If not, see . * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_CSGO -#include "ndpi_api.h" +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_CSGO -#ifdef NDPI_PROTOCOL_CSGO +#include "ndpi_api.h" void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) { struct ndpi_packet_struct* packet = &flow->packet; if (packet->udp != NULL) { uint32_t w = htonl(get_u_int32_t(packet->payload, 0)); - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "CSGO: word %08x\n", w); + NDPI_LOG_DBG2(ndpi_struct, "CSGO: word %08x\n", w); if (!flow->csgo_state && packet->payload_packet_len == 23 && w == 0xfffffffful) { if (!memcmp(packet->payload + 5, "connect0x", 9)) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo connect0x.\n"); flow->csgo_state++; memcpy(flow->csgo_strid, packet->payload + 5, 18); + NDPI_LOG_DBG2(ndpi_struct, "Found csgo connect0x\n"); return; } } if (flow->csgo_state == 1 && packet->payload_packet_len >= 42 && w == 0xfffffffful) { if (!memcmp(packet->payload + 24, flow->csgo_strid, 18)) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo connect0x reply.\n"); flow->csgo_state++; ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO( ndpi_struct, "found csgo connect0x reply\n"); return; } } if (packet->payload_packet_len == 8 && ( w == 0x3a180000 || w == 0x39180000) ) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo udp 8b.\n"); + NDPI_LOG_INFO( ndpi_struct, "found csgo udp 8b\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN); return; } if (packet->payload_packet_len >= 36 && w == 0x56533031ul) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo udp.\n"); + NDPI_LOG_INFO( ndpi_struct, "found csgo udp\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN); return; } if (packet->payload_packet_len >= 36 && w == 0x01007364) { uint32_t w2 = htonl(get_u_int32_t(packet->payload, 4)); if (w2 == 0x70696e67) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo udp ping.\n"); + NDPI_LOG_INFO( ndpi_struct, "found csgo udp ping\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -73,11 +75,11 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n if (!flow->csgo_s2) { flow->csgo_id2 = w2; flow->csgo_s2 = 1; - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo udp 0d1d step1.\n"); + NDPI_LOG_DBG2( ndpi_struct, "Found csgo udp 0d1d step1\n"); return; } if (flow->csgo_s2 == 1 && flow->csgo_id2 == w2) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo udp 0d1d step1 DUP.\n"); + NDPI_LOG_DBG2( ndpi_struct, "Found csgo udp 0d1d step1 DUP\n"); return; } flow->csgo_s2 = 3; @@ -85,7 +87,7 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n } if (packet->payload_packet_len == 15) { if (flow->csgo_s2 == 1 && flow->csgo_id2 == w2) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo udp 0d1d.\n"); + NDPI_LOG_INFO( ndpi_struct, "found csgo udp 0d1d\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -94,23 +96,23 @@ void ndpi_search_csgo(struct ndpi_detection_module_struct* ndpi_struct, struct n } if (packet->payload_packet_len >= 140 && (w == 0x02124c6c || w == 0x02125c6c) && !memcmp(&packet->payload[3], "lta\000mob\000tpc\000bhj\000bxd\000tae\000urg\000gkh\000", 32)) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo dictionary udp.\n"); + NDPI_LOG_INFO( ndpi_struct, "found csgo dictionary udp\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN); return; } if (packet->payload_packet_len >= 33 && packet->iph && packet->iph->daddr == 0xffffffff && !memcmp(&packet->payload[17], "LanSearch", 9)) { - NDPI_LOG(NDPI_PROTOCOL_CSGO, ndpi_struct, NDPI_LOG_DEBUG, "Found csgo LanSearch udp.\n"); + NDPI_LOG_INFO( ndpi_struct, "found csgo LanSearch udp\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_CSGO, NDPI_PROTOCOL_UNKNOWN); return; } } if (flow->packet_counter > 20) - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_CSGO); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } -void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, - u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { +void init_csgo_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) +{ ndpi_set_bitmask_protocol_detection("CSGO", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_CSGO, ndpi_search_csgo, diff --git a/src/lib/protocols/dcerpc.c b/src/lib/protocols/dcerpc.c index 7be8ac027..3aef077cd 100644 --- a/src/lib/protocols/dcerpc.c +++ b/src/lib/protocols/dcerpc.c @@ -21,10 +21,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_DCERPC + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DCERPC #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_DCERPC static void ndpi_int_dcerpc_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -36,20 +40,21 @@ void ndpi_search_dcerpc(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search DCERPC\n"); + if((packet->tcp != NULL) && (packet->payload_packet_len >= 64) && (packet->payload[0] == 0x05) /* version 5 */ && (packet->payload[2] < 16) /* Packet type */ && (((packet->payload[9]<<8) | packet->payload[8]) == packet->payload_packet_len) /* Packet Length */ ) { - NDPI_LOG(NDPI_PROTOCOL_DCERPC, ndpi_struct, NDPI_LOG_DEBUG, "DCERPC match\n"); + NDPI_LOG_INFO(ndpi_struct, "found DCERPC\n"); ndpi_int_dcerpc_add_connection(ndpi_struct, flow); return; } - if(packet->payload_packet_len>1){ - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DCERPC); - } + if(packet->payload_packet_len>1) + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/dhcp.c b/src/lib/protocols/dhcp.c index cdf33947e..004d42379 100644 --- a/src/lib/protocols/dhcp.c +++ b/src/lib/protocols/dhcp.c @@ -18,11 +18,14 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_DHCP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DHCP + +#include "ndpi_api.h" + /* freeradius/src/lib/dhcp.c */ #define DHCP_CHADDR_LEN 16 #define DHCP_SNAME_LEN 64 @@ -61,8 +64,7 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search DHCP\n"); /* this detection also works for asymmetric dhcp traffic */ @@ -87,7 +89,7 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru if(len == 0) break; #ifdef DHCP_DEBUG - printf("[DHCP] Id=%d [len=%d]\n", id, len); + NDPI_LOG_DBG2(ndpi_struct, "[DHCP] Id=%d [len=%d]\n", id, len); #endif if(id == 53 /* DHCP Message Type */) { @@ -95,8 +97,7 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru if(msg_type <= 8) foundValidMsgType = 1; } else if(id == 55 /* Parameter Request List / Fingerprint */) { - u_int idx, offset = 0, - hex_len = ndpi_min(len * 2, sizeof(flow->protos.dhcp.fingerprint)); + u_int idx, offset = 0; for(idx=0; idxprotos.dhcp.fingerprint[offset], @@ -109,9 +110,8 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru int j = 0; #ifdef DHCP_DEBUG - printf("[DHCP] "); - while(j < len) { printf("%c", name[j]); j++; } - printf("\n"); + NDPI_LOG_DBG2(ndpi_struct, "[DHCP] '%.*s'\n",name,len); +// while(j < len) { printf( "%c", name[j]); j++; }; printf("\n"); #endif j = ndpi_min(len, sizeof(flow->host_server_name)-1); strncpy((char*)flow->host_server_name, name, j); @@ -125,14 +125,14 @@ void ndpi_search_dhcp_udp(struct ndpi_detection_module_struct *ndpi_struct, stru //get_u_int16_t(packet->payload, 240) == htons(0x3501)) { if(foundValidMsgType) { - NDPI_LOG(NDPI_PROTOCOL_DHCP, ndpi_struct, NDPI_LOG_DEBUG, "DHCP found\n"); + NDPI_LOG_INFO(ndpi_struct, "found DHCP\n"); ndpi_int_dhcp_add_connection(ndpi_struct, flow); } return; } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DHCP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/dhcpv6.c b/src/lib/protocols/dhcpv6.c index 31d912b39..98ed08cda 100644 --- a/src/lib/protocols/dhcpv6.c +++ b/src/lib/protocols/dhcpv6.c @@ -22,12 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_DHCPV6 -/* include files */ +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DHCPV6 + +#include "ndpi_api.h" -#include "ndpi_protocols.h" -#ifdef NDPI_PROTOCOL_DHCPV6 static void ndpi_int_dhcpv6_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -40,21 +42,19 @@ void ndpi_search_dhcpv6_udp(struct ndpi_detection_module_struct *ndpi_struct, st { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search DHCPv6\n"); if (packet->payload_packet_len >= 4 && (packet->udp->source == htons(546) || packet->udp->source == htons(547)) && (packet->udp->dest == htons(546) || packet->udp->dest == htons(547)) && packet->payload[0] >= 1 && packet->payload[0] <= 13) { - NDPI_LOG(NDPI_PROTOCOL_DHCPV6, ndpi_struct, NDPI_LOG_DEBUG, "DHCPv6 detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found DHCPv6\n"); ndpi_int_dhcpv6_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_DHCPV6, ndpi_struct, NDPI_LOG_DEBUG, "DHCPv6 excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DHCPV6); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/directconnect.c b/src/lib/protocols/directconnect.c index e712df626..725e53348 100644 --- a/src/lib/protocols/directconnect.c +++ b/src/lib/protocols/directconnect.c @@ -23,9 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_DIRECTCONNECT +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DIRECTCONNECT + +#include "ndpi_api.h" + + //#define NDPI_DEBUG_DIRECTCONNECT //#define NDPI_DIRECTCONNECT_PORT_DEBUG //#define NDPI_DEBUG_DIRECTCONNECT_CONN @@ -58,9 +64,7 @@ static u_int16_t parse_binf_message(struct ndpi_detection_module_struct if (memcmp(&payload[i], "DCTM", 4) == 0) { if (memcmp(&payload[i + 15], "ADCS", 4) == 0) { ssl_port = ntohs_ndpi_bytestream_to_number(&payload[i + 25], 5, &bytes_read); - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "directconnect ssl port parsed %d", ssl_port); - + NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ssl_port); } } } else { @@ -89,13 +93,11 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s if (packet->tcp != NULL && flow->setup_packet_direction != packet->packet_direction && src->detected_directconnect_port == 0) { src->detected_directconnect_port = packet->tcp->source; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "directconnect tcp PORT %u for src\n", ntohs(src->detected_directconnect_port)); + NDPI_LOG_DBG2(ndpi_struct, "DC tcp PORT %u for src\n", ntohs(src->detected_directconnect_port)); } if (packet->udp != NULL && src->detected_directconnect_udp_port == 0) { src->detected_directconnect_udp_port = packet->udp->source; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "directconnect udp PORT %u for src\n", ntohs(src->detected_directconnect_port)); + NDPI_LOG_DBG2(ndpi_struct, "DC udp PORT %u for src\n", ntohs(src->detected_directconnect_port)); } } @@ -113,9 +115,9 @@ static void ndpi_int_directconnect_add_connection(struct ndpi_detection_module_s /* dst->detected_directconnect_port = packet->tcp->dest; - NDPI_LOG (NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "directconnect tcp PORT %u for dst\n", - ntohs (dst->detected_directconnect_port)); + NDPI_LOG_DBG2(ndpi_struct, + "DC tcp PORT %u for dst\n", + ntohs (dst->detected_directconnect_port)); */ } } @@ -148,14 +150,12 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if (dst != NULL) { dst->detected_directconnect_ssl_port = ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "directconnect ssl port parsed %d", ntohs(dst->detected_directconnect_ssl_port)); + NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(dst->detected_directconnect_ssl_port)); } if (src != NULL) { src->detected_directconnect_ssl_port = ntohs_ndpi_bytestream_to_number(&packet->payload[25], 5, &bytes_read); - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "directconnect ssl port parsed %d", ntohs(src->detected_directconnect_ssl_port)); + NDPI_LOG_DBG2(ndpi_struct, "DC ssl port parsed %d\n", ntohs(src->detected_directconnect_ssl_port)); } @@ -168,15 +168,13 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); src->directconnect_last_safe_access_time = packet->tick_timestamp; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(src->detected_directconnect_port)); + NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_port)); + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; } else { src->detected_directconnect_port = 0; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "resetting src port due to timeout"); + NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); return; } } @@ -184,15 +182,13 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - src->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); src->directconnect_last_safe_access_time = packet->tick_timestamp; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(src->detected_directconnect_ssl_port)); + NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(src->detected_directconnect_ssl_port)); + ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; } else { src->detected_directconnect_ssl_port = 0; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "resetting src port due to timeout"); + NDPI_LOG_DBG2(ndpi_struct, "resetting src port due to timeout\n"); return; } } @@ -204,15 +200,13 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); dst->directconnect_last_safe_access_time = packet->tick_timestamp; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(dst->detected_directconnect_port)); + NDPI_LOG_INFO(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_port)); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; } else { dst->detected_directconnect_port = 0; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "resetting dst port due to timeout"); + NDPI_LOG_DBG(ndpi_struct, "resetting dst port due to timeout\n"); return; } } @@ -220,16 +214,13 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if ((u_int32_t) (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); dst->directconnect_last_safe_access_time = packet->tick_timestamp; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "marking using dc port\n %d", ntohs(dst->detected_directconnect_ssl_port)); - + NDPI_LOG_DBG(ndpi_struct, "found DC using port %d\n", ntohs(dst->detected_directconnect_ssl_port)); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; } else { dst->detected_directconnect_ssl_port = 0; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "resetting dst port due to timeout"); + NDPI_LOG_DBG2(ndpi_struct, "resetting dst port due to timeout\n"); return; } } @@ -242,8 +233,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if (packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && (memcmp(&packet->payload[1], "Lock ", 5) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "maybe first dc connect to hub detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe first dc connect to hub detected\n"); flow->directconnect_stage = 1; return; } @@ -251,8 +241,7 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n && packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|' && (memcmp(&packet->payload[1], "MyNick ", 7) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "maybe first dc connect between peers detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe first dc connect between peers detected\n"); flow->directconnect_stage = 2; return; } @@ -262,15 +251,13 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n /* did not see this pattern in any trace */ if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "found directconnect HSUP ADBAS0 E\n"); + NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS0 E\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB); return; /* did not see this pattern in any trace */ } else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "found directconnect CSUP ADBAS0 E\n"); + NDPI_LOG_INFO(ndpi_struct, "found DC CSUP ADBAS0 E\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_ADC_PEER); return; @@ -283,19 +270,14 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n /* did not see this pattern in any trace */ if (memcmp(&packet->payload[0], "HSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "HSUP ADBASE", 11) == 0) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "found directconnect HSUP ADBAS E in second packet\n"); + NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS E in second packet\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB); - return; /* did not see this pattern in any trace */ } else if (memcmp(&packet->payload[0], "CSUP ADBAS0", 11) == 0 || memcmp(&packet->payload[0], "CSUP ADBASE", 11) == 0) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "found directconnect HSUP ADBAS0 E in second packet\n"); + NDPI_LOG_INFO(ndpi_struct, "found DC HSUP ADBAS0 E in second packet\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_ADC_PEER); - - return; } @@ -304,12 +286,11 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n if (packet->payload_packet_len > 6) { if ((packet->payload[0] == '$' || packet->payload[0] == '<') && packet->payload[packet->payload_packet_len - 1] == '|') { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "second dc detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found DC second\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_HUB); - return; } else { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "second dc not detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "second dc not detected\n"); } } @@ -317,23 +298,17 @@ static void ndpi_search_directconnect_tcp(struct ndpi_detection_module_struct *n /* get client hello answer or server message */ if (packet->payload_packet_len > 6) { if (packet->payload[0] == '$' && packet->payload[packet->payload_packet_len - 1] == '|') { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "second dc between peers detected\n"); - - + NDPI_LOG_INFO(ndpi_struct, "found DC between peers\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); - return; } else { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "second dc between peers not detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "second dc between peers not detected\n"); } } } - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -352,15 +327,13 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct (packet->tick_timestamp - dst->directconnect_last_safe_access_time) < ndpi_struct->directconnect_connection_ip_tick_timeout) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); dst->directconnect_last_safe_access_time = packet->tick_timestamp; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "marking using dc udp port\n %d", ntohs(dst->detected_directconnect_udp_port)); + NDPI_LOG_INFO(ndpi_struct, "found DC using udp port %d\n", ntohs(dst->detected_directconnect_udp_port)); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DIRECTCONNECT, NDPI_PROTOCOL_UNKNOWN); return; } else { dst->detected_directconnect_udp_port = 0; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "resetting dst udp port due to timeout"); + NDPI_LOG_DBG2(ndpi_struct, "resetting dst udp port due to timeout\n"); return; } } @@ -380,20 +353,15 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct if (packet->payload[pos] == '(') { pos = pos - 44; if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "dc udp detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); return; } } } flow->directconnect_stage++; - - if (flow->directconnect_stage < 3) { - - + if (flow->directconnect_stage < 3) return; - } - } } @@ -411,7 +379,7 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct if (packet->payload[pos] == '(') { pos = pos - 44; if (pos > 2 && memcmp(&packet->payload[pos], "TTH:", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, "dc udp detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found DC udp\n"); ndpi_int_directconnect_add_connection(ndpi_struct, flow, DIRECT_CONNECT_TYPE_PEER); return; } @@ -420,15 +388,11 @@ static void ndpi_search_directconnect_udp(struct ndpi_detection_module_struct flow->directconnect_stage++; if (flow->directconnect_stage < 3) return; - } } } - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, NDPI_LOG_DEBUG, - "excluded at stage %d \n", flow->directconnect_stage); - - + NDPI_LOG_DBG(ndpi_struct, "excluded DC at stage %d \n", flow->directconnect_stage); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECTCONNECT); @@ -442,7 +406,7 @@ void ndpi_search_directconnect(struct ndpi_detection_module_struct struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - + NDPI_LOG_DBG(ndpi_struct, "search DC\n"); if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_DIRECTCONNECT) { if (src != NULL && ((u_int32_t) @@ -458,8 +422,7 @@ void ndpi_search_directconnect(struct ndpi_detection_module_struct dst->directconnect_last_safe_access_time = packet->tick_timestamp; } else { packet->detected_protocol_stack[0] = NDPI_PROTOCOL_UNKNOWN; - NDPI_LOG(NDPI_PROTOCOL_DIRECTCONNECT, ndpi_struct, - NDPI_LOG_DEBUG, "directconnect: skipping as unknown due to timeout\n"); + NDPI_LOG_DBG2(ndpi_struct, "skipping as unknown due to timeout\n"); } return; } diff --git a/src/lib/protocols/directdownloadlink.c b/src/lib/protocols/directdownloadlink.c index 24375c90f..0a4d528f2 100644 --- a/src/lib/protocols/directdownloadlink.c +++ b/src/lib/protocols/directdownloadlink.c @@ -23,9 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK + +#include "ndpi_api.h" + #ifdef NDPI_DEBUG_DIRECT_DOWNLOAD_LINK //#define NDPI_DEBUG_DIRECT_DOWNLOAD_LINK_NOTHING_FOUND @@ -52,15 +57,12 @@ static void ndpi_int_direct_download_link_add_connection(struct ndpi_detection_m u_int8_t search_ddl_domains(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int16_t filename_start = 0; u_int8_t i = 1; u_int16_t host_line_len_without_port; if (packet->payload_packet_len < 100) { - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: Packet too small.\n"); + NDPI_LOG_DBG2(ndpi_struct, "DDL: Packet too small\n"); goto end_ddl_nothing_found; } @@ -68,10 +70,10 @@ u_int8_t search_ddl_domains(struct ndpi_detection_module_struct *ndpi_struct, st if (memcmp(packet->payload, "POST ", 5) == 0) { filename_start = 5; // POST - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: POST FOUND\n"); + NDPI_LOG_DBG2(ndpi_struct, "DDL: POST FOUND\n"); } else if (memcmp(packet->payload, "GET ", 4) == 0) { filename_start = 4; // GET - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: GET FOUND\n"); + NDPI_LOG_DBG2(ndpi_struct, "DDL: GET FOUND\n"); } else { goto end_ddl_nothing_found; } @@ -79,16 +81,15 @@ u_int8_t search_ddl_domains(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->host_line.ptr == NULL) { - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: NO HOST FOUND\n"); + NDPI_LOG_DBG2(ndpi_struct, "DDL: NO HOST FOUND\n"); goto end_ddl_nothing_found; } - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: Host: found\n"); + NDPI_LOG_DBG2(ndpi_struct, "DDL: Host: found\n"); if (packet->line[0].len < 9 + filename_start || memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) != 0) { - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, - NDPI_LOG_DEBUG, "DDL: PACKET NOT HTTP CONFORM.\nXXX%.*sXXX\n", + NDPI_LOG_DBG2(ndpi_struct, "DDL: PACKET NOT HTTP CONFORM.\nXXX%.*sXXX\n", 8, &packet->line[0].ptr[packet->line[0].len - 9]); goto end_ddl_nothing_found; } @@ -100,11 +101,11 @@ u_int8_t search_ddl_domains(struct ndpi_detection_module_struct *ndpi_struct, st i = 2; while (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] >= '0' && packet->host_line.ptr[host_line_len_without_port - i] <= '9') { - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: number found\n"); + NDPI_LOG_DBG2(ndpi_struct, "DDL: number found\n"); i++; } if (host_line_len_without_port >= i && packet->host_line.ptr[host_line_len_without_port - i] == ':') { - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: ':' found\n"); + NDPI_LOG_DBG2(ndpi_struct, "DDL: ':' found\n"); host_line_len_without_port = host_line_len_without_port - i; } } @@ -694,12 +695,12 @@ u_int8_t search_ddl_domains(struct ndpi_detection_module_struct *ndpi_struct, st */ end_ddl_nothing_found: - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "Nothing Found\n"); return 0; end_ddl_found: - NDPI_LOG(NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK, ndpi_struct, NDPI_LOG_DEBUG, "DDL: DIRECT DOWNLOAD LINK FOUND\n"); + NDPI_LOG_INFO(ndpi_struct, "found DIRECT DOWNLOAD LINK\n"); ndpi_int_direct_download_link_add_connection(ndpi_struct, flow); return 1; } @@ -709,15 +710,12 @@ void ndpi_search_direct_download_link_tcp(struct ndpi_detection_module_struct *n { struct ndpi_packet_struct *packet = &flow->packet; - /* struct ndpi_id_struct *src=ndpi_struct->src; */ - /* struct ndpi_id_struct *dst=ndpi_struct->dst; */ - /* do not detect again if it is already ddl */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK) { if (search_ddl_domains(ndpi_struct, flow) != 0) { return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DIRECT_DOWNLOAD_LINK); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/dns.c b/src/lib/protocols/dns.c index 5358cc8b7..bf4f9d9b6 100644 --- a/src/lib/protocols/dns.c +++ b/src/lib/protocols/dns.c @@ -21,10 +21,15 @@ * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_DNS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DNS + +#include "ndpi_api.h" + + #define FLAGS_MASK 0x8000 /* #define DNS_DEBUG 1 */ @@ -64,7 +69,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd u_int8_t is_query; u_int16_t s_port = 0, d_port = 0; - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "search DNS.\n"); + NDPI_LOG_DBG(ndpi_struct, "search DNS\n"); if(flow->packet.udp != NULL) { s_port = ntohs(flow->packet.udp->source); @@ -75,8 +80,8 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd d_port = ntohs(flow->packet.tcp->dest); x = 2; } else { - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } if((s_port == 53 || d_port == 53 || d_port == 5355) @@ -116,7 +121,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd x++; flow->protos.dns.query_type = get16(&x, flow->packet.payload); #ifdef DNS_DEBUG - printf("[%s:%d] query_type=%2d\n", __FILE__, __LINE__, flow->protos.dns.query_type); + NDPI_LOG_DBG2(ndpi_struct, "query_type=%2d\n", flow->protos.dns.query_type); #endif break; } else @@ -177,8 +182,7 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd } if(invalid) { - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -208,9 +212,8 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd strlen((const char*)flow->host_server_name), NDPI_PROTOCOL_DNS); -#ifdef DNS_DEBUG - printf("[%s:%d] [num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", - __FILE__, __LINE__, +#ifdef DNS_DEBUG + NDPI_LOG_DBG2(ndpi_struct, "[num_queries=%d][num_answers=%d][reply_code=%u][rsp_type=%u][host_server_name=%s]\n", flow->protos.dns.num_queries, flow->protos.dns.num_answers, flow->protos.dns.reply_code, flow->protos.dns.rsp_type, flow->host_server_name ); @@ -224,11 +227,10 @@ void ndpi_search_dns(struct ndpi_detection_module_struct *ndpi_struct, struct nd Do not set the protocol with DNS if ndpi_match_host_subprotocol() has matched a subprotocol **/ - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "found DNS.\n"); + NDPI_LOG_INFO(ndpi_struct, "found DNS\n"); ndpi_set_detected_protocol(ndpi_struct, flow, (d_port == 5355) ? NDPI_PROTOCOL_LLMNR : NDPI_PROTOCOL_DNS, NDPI_PROTOCOL_UNKNOWN); } else { - NDPI_LOG(NDPI_PROTOCOL_DNS, ndpi_struct, NDPI_LOG_DEBUG, "exclude DNS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DNS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } } diff --git a/src/lib/protocols/dofus.c b/src/lib/protocols/dofus.c index 26ccdb444..baed6c262 100644 --- a/src/lib/protocols/dofus.c +++ b/src/lib/protocols/dofus.c @@ -22,76 +22,68 @@ * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_DOFUS -#include "ndpi_api.h" +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DOFUS -#ifdef NDPI_PROTOCOL_DOFUS +#include "ndpi_api.h" static void ndpi_dofus_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DOFUS, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found dofus\n"); } void ndpi_search_dofus(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; + struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search dofus\n"); /* Dofus v 1.x.x */ if (packet->payload_packet_len == 13 && get_u_int16_t(packet->payload, 1) == ntohs(0x0508) && get_u_int16_t(packet->payload, 5) == ntohs(0x04a0) && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == ntohs(0x0194)) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); ndpi_dofus_add_connection(ndpi_struct, flow); return; } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 3 && memcmp(packet->payload, "HG", 2) == 0 - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 35 && memcmp(packet->payload, "HC", 2) == 0 - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len > 2 && packet->payload[0] == 'A' - && (packet->payload[1] == 'x' || packet->payload[1] == 'X') - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len == 12 && memcmp(packet->payload, "Af", 2) == 0 - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; - } - if (flow->l4.tcp.dofus_stage == 0 && packet->payload_packet_len > 2 && memcmp(packet->payload, "Ad", 2) - && packet->payload[packet->payload_packet_len - 1] == 0) { - flow->l4.tcp.dofus_stage = 1; - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "maybe dofus.\n"); - return; + if (flow->l4.tcp.dofus_stage == 0) { + if (packet->payload_packet_len == 3 && memcmp(packet->payload, "HG", 2) == 0 + && packet->payload[packet->payload_packet_len - 1] == 0) + goto maybe_dofus; + + if (packet->payload_packet_len == 12 && memcmp(packet->payload, "Af", 2) == 0 + && packet->payload[packet->payload_packet_len - 1] == 0) + goto maybe_dofus; + + if (packet->payload_packet_len == 35 && memcmp(packet->payload, "HC", 2) == 0 + && packet->payload[packet->payload_packet_len - 1] == 0) + goto maybe_dofus; + + if (packet->payload_packet_len > 2 && packet->payload[0] == 'A' + && (packet->payload[1] == 'x' || packet->payload[1] == 'X') + && packet->payload[packet->payload_packet_len - 1] == 0) + goto maybe_dofus; + + if (packet->payload_packet_len > 2 && memcmp(packet->payload, "Ad", 2) + && packet->payload[packet->payload_packet_len - 1] == 0) + goto maybe_dofus; + } - if (packet->payload_packet_len == 11 && memcmp(packet->payload, "AT", 2) == 0 && packet->payload[10] == 0x00) { - if (flow->l4.tcp.dofus_stage == 1) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); + if (flow->l4.tcp.dofus_stage == 1) { + if (packet->payload_packet_len == 11 && memcmp(packet->payload, "AT", 2) == 0 + && packet->payload[10] == 0x00) { + ndpi_dofus_add_connection(ndpi_struct, flow); + return; + } + if (packet->payload_packet_len == 5 + && packet->payload[0] == 'A' && packet->payload[4] == 0x00 + && (packet->payload[1] == 'T' || packet->payload[1] == 'k')) { ndpi_dofus_add_connection(ndpi_struct, flow); return; } - } - if (flow->l4.tcp.dofus_stage == 1 && packet->payload_packet_len == 5 - && packet->payload[0] == 'A' && packet->payload[4] == 0x00 && (packet->payload[1] == 'T' - || packet->payload[1] == 'k')) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus asym.\n"); - ndpi_dofus_add_connection(ndpi_struct, flow); - return; } /* end Dofus 1.x.x */ @@ -109,7 +101,6 @@ void ndpi_search_dofus(struct ndpi_detection_module_struct *ndpi_struct, struct if (packet->payload_packet_len == 49 && ntohs(get_u_int16_t(packet->payload, 15)) + 17 != packet->payload_packet_len) { goto exclude; } - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); ndpi_dofus_add_connection(ndpi_struct, flow); return; } @@ -120,7 +111,6 @@ void ndpi_search_dofus(struct ndpi_detection_module_struct *ndpi_struct, struct goto exclude; len2 = ntohs(get_u_int16_t(packet->payload, 5 + len)); if (5 + len + 2 + len2 == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); ndpi_dofus_add_connection(ndpi_struct, flow); return; } @@ -135,16 +125,20 @@ void ndpi_search_dofus(struct ndpi_detection_module_struct *ndpi_struct, struct if ((12 + len + 2 + len2 + 1) > packet->payload_packet_len) goto exclude; if (12 + len + 2 + len2 + 1 == packet->payload_packet_len && packet->payload[12 + len + 2 + len2] == 0x01) { - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "found dofus.\n"); ndpi_dofus_add_connection(ndpi_struct, flow); return; } } - exclude: - NDPI_LOG(NDPI_PROTOCOL_DOFUS, ndpi_struct, NDPI_LOG_DEBUG, "exclude dofus.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DOFUS); -} +exclude: + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; + +maybe_dofus: + flow->l4.tcp.dofus_stage = 1; + NDPI_LOG_DBG2(ndpi_struct, "maybe dofus\n"); + return; +} void init_dofus_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { diff --git a/src/lib/protocols/drda.c b/src/lib/protocols/drda.c index 83a79ea82..72d708d13 100644 --- a/src/lib/protocols/drda.c +++ b/src/lib/protocols/drda.c @@ -17,10 +17,14 @@ * If not, see . * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_DRDA +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DRDA + +#include "ndpi_api.h" + struct ndpi_drda_hdr { u_int16_t length; u_int8_t magic; @@ -37,6 +41,8 @@ void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct * packet = &flow->packet; u_int16_t payload_len = packet->payload_packet_len; u_int count = 0; // prevent integer overflow + + NDPI_LOG_DBG(ndpi_struct, "search DRDA\n"); if(packet->tcp != NULL) { @@ -71,15 +77,14 @@ void ndpi_search_drda(struct ndpi_detection_module_struct *ndpi_struct, } if(count != payload_len) goto no_drda; } - NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "found DRDA.\n"); + NDPI_LOG_INFO(ndpi_struct, "found DRDA\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_DRDA, NDPI_PROTOCOL_UNKNOWN); return; } } no_drda: - NDPI_LOG(NDPI_PROTOCOL_DRDA, ndpi_struct, NDPI_LOG_DEBUG, "exclude DRDA.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DRDA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/dropbox.c b/src/lib/protocols/dropbox.c index d8babfb1b..6e8a2dcb0 100644 --- a/src/lib/protocols/dropbox.c +++ b/src/lib/protocols/dropbox.c @@ -21,10 +21,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_DROPBOX + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_DROPBOX #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_DROPBOX #define DB_LSP_PORT 17500 @@ -51,7 +55,7 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, if(payload_len > 2) { if(strncmp((const char *)packet->payload, "{\"host_int\"", 11) == 0) { - NDPI_LOG(NDPI_PROTOCOL_DROPBOX, ndpi_struct, NDPI_LOG_DEBUG, "Found dropbox.\n"); + NDPI_LOG_INFO(ndpi_struct, "found dropbox\n"); ndpi_int_dropbox_add_connection(ndpi_struct, flow, 0); return; } @@ -59,15 +63,14 @@ static void ndpi_check_dropbox(struct ndpi_detection_module_struct *ndpi_struct, } } - NDPI_LOG(NDPI_PROTOCOL_DROPBOX, ndpi_struct, NDPI_LOG_DEBUG, "exclude dropbox.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_DROPBOX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_dropbox(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_DROPBOX, ndpi_struct, NDPI_LOG_DEBUG, "dropbox detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search dropbox\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_DROPBOX) { diff --git a/src/lib/protocols/eaq.c b/src/lib/protocols/eaq.c index 96ecacdde..3929b4ef6 100644 --- a/src/lib/protocols/eaq.c +++ b/src/lib/protocols/eaq.c @@ -24,12 +24,18 @@ http://www.brasilbandalarga.com.br */ + +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_EAQ + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_EAQ + #include "ndpi_api.h" #define EAQ_DEFAULT_PORT 6000 #define EAQ_DEFAULT_SIZE 16 -#ifdef NDPI_PROTOCOL_EAQ static void ndpi_int_eaq_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EAQ, NDPI_PROTOCOL_UNKNOWN); @@ -40,33 +46,34 @@ void ndpi_search_eaq(struct ndpi_detection_module_struct *ndpi_struct, struct nd struct ndpi_packet_struct *packet = &flow->packet; u_int16_t sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); - if((packet->payload_packet_len != EAQ_DEFAULT_SIZE) - || ((sport != EAQ_DEFAULT_PORT) && (dport != EAQ_DEFAULT_PORT))) { - exclude_eaq: - NDPI_LOG(NDPI_PROTOCOL_EAQ, ndpi_struct, NDPI_LOG_DEBUG, "Exclude eaq.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_EAQ); - return; - } - - if(packet->udp != NULL) { - u_int32_t seq = (packet->payload[0] * 1000) + (packet->payload[1] * 100) + (packet->payload[2] * 10) + packet->payload[3]; - - if(flow->l4.udp.eaq_pkt_id == 0) - flow->l4.udp.eaq_sequence = seq; - else { - if((flow->l4.udp.eaq_sequence == seq) || ((flow->l4.udp.eaq_sequence+1) == seq)) { - ; /* Looks good */ - } else - goto exclude_eaq; - } + NDPI_LOG_DBG(ndpi_struct, "search eaq\n"); + + do { + if( (packet->payload_packet_len != EAQ_DEFAULT_SIZE) || + ((sport != EAQ_DEFAULT_PORT) && (dport != EAQ_DEFAULT_PORT)) ) + break; + + if(packet->udp != NULL) { + u_int32_t seq = (packet->payload[0] * 1000) + (packet->payload[1] * 100) + (packet->payload[2] * 10) + packet->payload[3]; + + if(flow->l4.udp.eaq_pkt_id == 0) + flow->l4.udp.eaq_sequence = seq; + else { + if( (flow->l4.udp.eaq_sequence != seq) && + ((flow->l4.udp.eaq_sequence+1) != seq)) break; + } - if(++flow->l4.udp.eaq_pkt_id == 4) { - /* We have collected enough packets so we assume it's EAQ */ - NDPI_LOG(NDPI_PROTOCOL_EAQ, ndpi_struct, NDPI_LOG_DEBUG, "found eaq.\n"); - ndpi_int_eaq_add_connection(ndpi_struct, flow); + if(++flow->l4.udp.eaq_pkt_id == 4) { + /* We have collected enough packets so we assume it's EAQ */ + NDPI_LOG_INFO(ndpi_struct, "found eaq\n"); + ndpi_int_eaq_add_connection(ndpi_struct, flow); + return; + } } - } else - goto exclude_eaq; + } while(0); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } diff --git a/src/lib/protocols/edonkey.c b/src/lib/protocols/edonkey.c index 5196cc9e5..34276bbcb 100644 --- a/src/lib/protocols/edonkey.c +++ b/src/lib/protocols/edonkey.c @@ -23,10 +23,15 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_EDONKEY + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_EDONKEY #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_EDONKEY + static void ndpi_int_edonkey_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_EDONKEY, NDPI_PROTOCOL_UNKNOWN); } @@ -159,24 +164,23 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, /* Break after 20 packets. */ if (flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_EDONKEY, ndpi_struct, NDPI_LOG_DEBUG, "Exclude EDONKEY.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_EDONKEY); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Check if we so far detected the protocol in the request or not. */ if (flow->edonkey_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_EDONKEY, ndpi_struct, NDPI_LOG_DEBUG, "EDONKEY stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage 0: \n"); if (ndpi_edonkey_payload_check(packet->payload, payload_len)) { - NDPI_LOG(NDPI_PROTOCOL_EDONKEY, ndpi_struct, NDPI_LOG_DEBUG, "Possible EDONKEY request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible EDONKEY request detected, we will look further for the response\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->edonkey_stage = packet->packet_direction + 1; } } else { - NDPI_LOG(NDPI_PROTOCOL_EDONKEY, ndpi_struct, NDPI_LOG_DEBUG, "EDONKEY stage %u: \n", flow->edonkey_stage); + NDPI_LOG_DBG2(ndpi_struct, "EDONKEY stage %u: \n", flow->edonkey_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->edonkey_stage - packet->packet_direction) == 1) { @@ -185,10 +189,10 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 0) || (ndpi_edonkey_payload_check(packet->payload, payload_len))) { - NDPI_LOG(NDPI_PROTOCOL_EDONKEY, ndpi_struct, NDPI_LOG_DEBUG, "Found EDONKEY.\n"); + NDPI_LOG_INFO(ndpi_struct, "found EDONKEY\n"); ndpi_int_edonkey_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_EDONKEY, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to EDONKEY, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to EDONKEY, resetting the stage to 0\n"); flow->edonkey_stage = 0; } @@ -198,7 +202,7 @@ static void ndpi_check_edonkey(struct ndpi_detection_module_struct *ndpi_struct, void ndpi_search_edonkey(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_EDONKEY, ndpi_struct, NDPI_LOG_DEBUG, "EDONKEY detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search EDONKEY\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_EDONKEY) { diff --git a/src/lib/protocols/fasttrack.c b/src/lib/protocols/fasttrack.c index c432f6754..016a15621 100644 --- a/src/lib/protocols/fasttrack.c +++ b/src/lib/protocols/fasttrack.c @@ -22,11 +22,13 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_FASTTRACK +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FASTTRACK + +#include "ndpi_api.h" static void ndpi_int_fasttrack_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -39,13 +41,12 @@ void ndpi_search_fasttrack_tcp(struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search FASTTRACK\n"); if ( (packet->payload != NULL) && (packet->payload_packet_len > 6) && (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a)) { - NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "detected 0d0a at the end of the packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected 0d0a at the end of the packet\n"); if (memcmp(packet->payload, "GIVE ", 5) == 0 && packet->payload_packet_len >= 8) { u_int16_t i; @@ -56,20 +57,20 @@ void ndpi_search_fasttrack_tcp(struct ndpi_detection_module_struct *ndpi_struct, } } - NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "FASTTRACK GIVE DETECTED\n"); + NDPI_LOG_INFO(ndpi_struct, "found FASTTRACK\n"); ndpi_int_fasttrack_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /", 5) == 0) { u_int8_t a = 0; - NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "detected GET /. \n"); + NDPI_LOG_DBG2(ndpi_struct, "detected GET /. \n"); ndpi_parse_packet_line_info(ndpi_struct, flow); for (a = 0; a < packet->parsed_lines; a++) { if ((packet->line[a].len > 17 && memcmp(packet->line[a].ptr, "X-Kazaa-Username: ", 18) == 0) || (packet->line[a].len > 23 && memcmp(packet->line[a].ptr, "User-Agent: PeerEnabler/", 24) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, - "detected X-Kazaa-Username: || User-Agent: PeerEnabler/\n"); + NDPI_LOG_INFO(ndpi_struct, + "found FASTTRACK X-Kazaa-Username: || User-Agent: PeerEnabler/\n"); ndpi_int_fasttrack_add_connection(ndpi_struct, flow); return; } @@ -78,8 +79,7 @@ void ndpi_search_fasttrack_tcp(struct ndpi_detection_module_struct *ndpi_struct, } exclude_fasttrack: - NDPI_LOG(NDPI_PROTOCOL_FASTTRACK, ndpi_struct, NDPI_LOG_TRACE, "fasttrack/kazaa excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FASTTRACK); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/fiesta.c b/src/lib/protocols/fiesta.c index a3e89af8f..9a9c78852 100644 --- a/src/lib/protocols/fiesta.c +++ b/src/lib/protocols/fiesta.c @@ -22,10 +22,14 @@ * */ -/* include files */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_FIESTA +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FIESTA + +#include "ndpi_api.h" + static void ndpi_int_fiesta_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -35,18 +39,15 @@ static void ndpi_int_fiesta_add_connection(struct ndpi_detection_module_struct * void ndpi_search_fiesta(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "search fiesta.\n"); + NDPI_LOG_DBG(ndpi_struct, "search fiesta\n"); if (flow->l4.tcp.fiesta_stage == 0 && packet->payload_packet_len == 5 && get_u_int16_t(packet->payload, 0) == ntohs(0x0407) && (packet->payload[2] == 0x08) && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01)) { - NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "maybe fiesta symmetric, first packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe fiesta symmetric, first packet\n"); flow->l4.tcp.fiesta_stage = 1 + packet->packet_direction; goto maybe_fiesta; } @@ -54,7 +55,7 @@ void ndpi_search_fiesta(struct ndpi_detection_module_struct *ndpi_struct, struct && ((packet->payload_packet_len > 1 && packet->payload_packet_len - 1 == packet->payload[0]) || (packet->payload_packet_len > 3 && packet->payload[0] == 0 && get_l16(packet->payload, 1) == packet->payload_packet_len - 3))) { - NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "Maybe fiesta.\n"); + NDPI_LOG_DBG2(ndpi_struct, "Maybe fiesta\n"); goto maybe_fiesta; } if (flow->l4.tcp.fiesta_stage == (1 + packet->packet_direction)) { @@ -79,16 +80,15 @@ void ndpi_search_fiesta(struct ndpi_detection_module_struct *ndpi_struct, struct } } - NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "exclude fiesta.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FIESTA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; maybe_fiesta: - NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "Stage is set to %d.\n", flow->l4.tcp.fiesta_stage); + NDPI_LOG_DBG2(ndpi_struct, "Stage is set to %d\n", flow->l4.tcp.fiesta_stage); return; add_fiesta: - NDPI_LOG(NDPI_PROTOCOL_FIESTA, ndpi_struct, NDPI_LOG_DEBUG, "detected fiesta.\n"); + NDPI_LOG_INFO(ndpi_struct, "found fiesta\n"); ndpi_int_fiesta_add_connection(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/filetopia.c b/src/lib/protocols/filetopia.c index 167b63a8e..eb3215e48 100644 --- a/src/lib/protocols/filetopia.c +++ b/src/lib/protocols/filetopia.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_FILETOPIA +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FILETOPIA + +#include "ndpi_api.h" + static void ndpi_int_filetopia_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -36,14 +40,13 @@ void ndpi_search_filetopia_tcp(struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search Filetopia\n"); if (flow->l4.tcp.filetopia_stage == 0) { if (packet->payload_packet_len >= 50 && packet->payload_packet_len <= 70 && packet->payload[0] == 0x03 && packet->payload[1] == 0x9a && packet->payload[3] == 0x22 && packet->payload[packet->payload_packet_len - 1] == 0x2b) { - NDPI_LOG(NDPI_PROTOCOL_FILETOPIA, ndpi_struct, NDPI_LOG_DEBUG, "Filetopia stage 1 detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "Filetopia stage 1 detected\n"); flow->l4.tcp.filetopia_stage = 1; return; } @@ -59,7 +62,7 @@ void ndpi_search_filetopia_tcp(struct ndpi_detection_module_struct *ndpi_struct, } } - NDPI_LOG(NDPI_PROTOCOL_FILETOPIA, ndpi_struct, NDPI_LOG_DEBUG, "Filetopia stage 2 detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "Filetopia stage 2 detected\n"); flow->l4.tcp.filetopia_stage = 2; return; } @@ -69,7 +72,7 @@ void ndpi_search_filetopia_tcp(struct ndpi_detection_module_struct *ndpi_struct, if (packet->payload_packet_len >= 4 && packet->payload_packet_len <= 100 && packet->payload[0] == 0x03 && packet->payload[1] == 0x9a && (packet->payload[3] == 0x22 || packet->payload[3] == 0x23)) { - NDPI_LOG(NDPI_PROTOCOL_FILETOPIA, ndpi_struct, NDPI_LOG_DEBUG, "Filetopia detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found Filetopia\n"); ndpi_int_filetopia_add_connection(ndpi_struct, flow); return; } @@ -77,7 +80,7 @@ void ndpi_search_filetopia_tcp(struct ndpi_detection_module_struct *ndpi_struct, } end_filetopia_nothing_found: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FILETOPIA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/fix.c b/src/lib/protocols/fix.c index b96454c3f..4f3f9849b 100644 --- a/src/lib/protocols/fix.c +++ b/src/lib/protocols/fix.c @@ -20,14 +20,21 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_FIX +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FIX + +#include "ndpi_api.h" + + void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search FIX\n"); if(packet->tcp) { // 8= if(packet->payload[0] == 0x38 && packet->payload[1] == 0x3d) { @@ -37,7 +44,7 @@ void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct nd packet->payload[4] == 0x58 && packet->payload[5] == 0x2e) { - NDPI_LOG(NDPI_PROTOCOL_FIX, ndpi_struct, NDPI_LOG_DEBUG, "FIX detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found FIX\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIX, NDPI_PROTOCOL_UNKNOWN); return; } @@ -47,14 +54,14 @@ void ndpi_search_fix(struct ndpi_detection_module_struct *ndpi_struct, struct nd packet->payload[4] == 0x39 && packet->payload[5] == 0x3d) { - NDPI_LOG(NDPI_PROTOCOL_FIX, ndpi_struct, NDPI_LOG_DEBUG, "FIX detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found FIX\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FIX, NDPI_PROTOCOL_UNKNOWN); return; } } } - /* exclude FIX */ - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FIX); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/florensia.c b/src/lib/protocols/florensia.c index c694a2939..217874a6a 100644 --- a/src/lib/protocols/florensia.c +++ b/src/lib/protocols/florensia.c @@ -22,11 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" - -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_FLORENSIA +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FLORENSIA + +#include "ndpi_api.h" + static void ndpi_florensia_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -37,44 +40,40 @@ void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, str { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "search florensia.\n"); + NDPI_LOG_DBG(ndpi_struct, "search florensia\n"); if (packet->tcp != NULL) { if (packet->payload_packet_len == 5 && get_l16(packet->payload, 0) == packet->payload_packet_len && packet->payload[2] == 0x65 && packet->payload[4] == 0xff) { if (flow->florensia_stage == 1) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "found florensia.\n"); + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); ndpi_florensia_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "maybe florensia -> stage is set to 1.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); flow->florensia_stage = 1; return; } if (packet->payload_packet_len > 8 && get_l16(packet->payload, 0) == packet->payload_packet_len && get_u_int16_t(packet->payload, 2) == htons(0x0201) && get_u_int32_t(packet->payload, 4) == htonl(0xFFFFFFFF)) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "maybe florensia -> stage is set to 1.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); flow->florensia_stage = 1; return; } if (packet->payload_packet_len == 406 && get_l16(packet->payload, 0) == packet->payload_packet_len && packet->payload[2] == 0x63) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "maybe florensia -> stage is set to 1.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); flow->florensia_stage = 1; return; } if (packet->payload_packet_len == 12 && get_l16(packet->payload, 0) == packet->payload_packet_len && get_u_int16_t(packet->payload, 2) == htons(0x0301)) { if (flow->florensia_stage == 1) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "found florensia.\n"); + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); ndpi_florensia_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "maybe florensia -> stage is set to 1.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); flow->florensia_stage = 1; return; } @@ -82,19 +81,19 @@ void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, str if (flow->florensia_stage == 1) { if (packet->payload_packet_len == 8 && get_l16(packet->payload, 0) == packet->payload_packet_len && get_u_int16_t(packet->payload, 2) == htons(0x0302) && get_u_int32_t(packet->payload, 4) == htonl(0xFFFFFFFF)) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "found florensia asymmetrically.\n"); + NDPI_LOG_INFO(ndpi_struct, "found florensia asymmetrically\n"); ndpi_florensia_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 24 && get_l16(packet->payload, 0) == packet->payload_packet_len && get_u_int16_t(packet->payload, 2) == htons(0x0202) && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0xFFFFFFFF)) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "found florensia.\n"); + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); ndpi_florensia_add_connection(ndpi_struct, flow); return; } if (flow->packet_counter < 10 && get_l16(packet->payload, 0) == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "maybe florensia.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia\n"); return; } } @@ -103,20 +102,19 @@ void ndpi_search_florensia(struct ndpi_detection_module_struct *ndpi_struct, str if (packet->udp != NULL) { if (flow->florensia_stage == 0 && packet->payload_packet_len == 6 && get_u_int16_t(packet->payload, 0) == ntohs(0x0503) && get_u_int32_t(packet->payload, 2) == htonl(0xFFFF0000)) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "maybe florensia -> stage is set to 1.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe florensia -> stage is set to 1\n"); flow->florensia_stage = 1; return; } if (flow->florensia_stage == 1 && packet->payload_packet_len == 8 && get_u_int16_t(packet->payload, 0) == ntohs(0x0500) && get_u_int16_t(packet->payload, 4) == htons(0x4191)) { - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "found florensia.\n"); + NDPI_LOG_INFO(ndpi_struct, "found florensia\n"); ndpi_florensia_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_FLORENSIA, ndpi_struct, NDPI_LOG_DEBUG, "exclude florensia.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FLORENSIA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/ftp_control.c b/src/lib/protocols/ftp_control.c index e9ed7ee45..f23476db0 100644 --- a/src/lib/protocols/ftp_control.c +++ b/src/lib/protocols/ftp_control.c @@ -21,10 +21,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_FTP_CONTROL + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FTP_CONTROL #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_FTP_CONTROL static void ndpi_int_ftp_control_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_CONTROL, NDPI_PROTOCOL_UNKNOWN); @@ -944,31 +948,29 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str /* Exclude SMTP, which uses similar commands. */ if (packet->tcp->dest == htons(25) || packet->tcp->source == htons(25)) { - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "Exclude FTP_CONTROL.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FTP_CONTROL); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Break after 20 packets. */ if (flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "Exclude FTP_CONTROL.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FTP_CONTROL); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Check if we so far detected the protocol in the request or not. */ if (flow->ftp_control_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "FTP_CONTROL stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage 0: \n"); if ((payload_len > 0) && ndpi_ftp_control_check_request(packet->payload, payload_len)) { - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "Possible FTP_CONTROL request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible FTP_CONTROL request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->ftp_control_stage = packet->packet_direction + 1; } } else { - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "FTP_CONTROL stage %u: \n", flow->ftp_control_stage); + NDPI_LOG_DBG2(ndpi_struct, "FTP_CONTROL stage %u: \n", flow->ftp_control_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->ftp_control_stage - packet->packet_direction) == 1) { @@ -977,10 +979,10 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len > 0) && ndpi_ftp_control_check_response(packet->payload, payload_len)) { - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "Found FTP_CONTROL.\n"); + NDPI_LOG_INFO(ndpi_struct, "found FTP_CONTROL\n"); ndpi_int_ftp_control_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to FTP_CONTROL, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to FTP_CONTROL, resetting the stage to 0\n"); flow->ftp_control_stage = 0; } } @@ -990,7 +992,7 @@ static void ndpi_check_ftp_control(struct ndpi_detection_module_struct *ndpi_str void ndpi_search_ftp_control(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_FTP_CONTROL, ndpi_struct, NDPI_LOG_DEBUG, "FTP_CONTROL detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search FTP_CONTROL\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_FTP_CONTROL) { diff --git a/src/lib/protocols/ftp_data.c b/src/lib/protocols/ftp_data.c index f5622ffb5..ec1e8d7d8 100644 --- a/src/lib/protocols/ftp_data.c +++ b/src/lib/protocols/ftp_data.c @@ -23,9 +23,14 @@ * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_FTP_DATA + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_FTP_DATA + +#include "ndpi_api.h" + static void ndpi_int_ftp_data_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_FTP_DATA, NDPI_PROTOCOL_UNKNOWN); } @@ -223,22 +228,21 @@ static void ndpi_check_ftp_data(struct ndpi_detection_module_struct *ndpi_struct || ndpi_match_ftp_data_port(ndpi_struct, flow) ) ) { - NDPI_LOG(NDPI_PROTOCOL_FTP_DATA, ndpi_struct, NDPI_LOG_DEBUG, "Possible FTP_DATA request detected...\n"); + NDPI_LOG_INFO(ndpi_struct, "found FTP_DATA request\n"); ndpi_int_ftp_data_add_connection(ndpi_struct, flow); } else - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FTP_DATA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_ftp_data(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { /* Break after 20 packets. */ if(flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_FTP_DATA, ndpi_struct, NDPI_LOG_DEBUG, "Exclude FTP_DATA.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_FTP_DATA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_FTP_DATA, ndpi_struct, NDPI_LOG_DEBUG, "FTP_DATA detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search FTP_DATA\n"); ndpi_check_ftp_data(ndpi_struct, flow); } diff --git a/src/lib/protocols/git.c b/src/lib/protocols/git.c index a60a94fe1..0b4192289 100644 --- a/src/lib/protocols/git.c +++ b/src/lib/protocols/git.c @@ -17,10 +17,16 @@ * If not, see . * */ + +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_GIT + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GIT + #include #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_GIT #define GIT_PORT 9418 @@ -29,6 +35,8 @@ void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct * packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search Git\n"); + if((packet->tcp != NULL) && (packet->payload_packet_len > 4)) { if((ntohs(packet->tcp->source) == GIT_PORT) || (ntohs(packet->tcp->dest) == GIT_PORT)) { @@ -52,15 +60,14 @@ void ndpi_search_git(struct ndpi_detection_module_struct *ndpi_struct, } if(found_git) { - NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "found Git.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Git\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GIT, NDPI_PROTOCOL_UNKNOWN); return; } } } - NDPI_LOG(NDPI_PROTOCOL_GIT, ndpi_struct, NDPI_LOG_DEBUG, "exclude Git.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GIT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/gnutella.c b/src/lib/protocols/gnutella.c index 1ead0570b..295cfaecd 100644 --- a/src/lib/protocols/gnutella.c +++ b/src/lib/protocols/gnutella.c @@ -22,12 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -/* include files */ +#ifdef NDPI_PROTOCOL_GNUTELLA -#include "ndpi_protocols.h" +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GNUTELLA + +#include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_GNUTELLA static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ @@ -38,22 +40,21 @@ static void ndpi_int_gnutella_add_connection(struct ndpi_detection_module_struct struct ndpi_id_struct *dst = flow->dst; ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GNUTELLA, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found GNUTELLA\n"); if (src != NULL) { src->gnutella_ts = packet->tick_timestamp; if (packet->udp != NULL) { if (!src->detected_gnutella_udp_port1) { src->detected_gnutella_udp_port1 = (packet->udp->source); - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, - NDPI_LOG_DEBUG, "GNUTELLA UDP PORT1 DETECTED as %u\n", - src->detected_gnutella_udp_port1); + NDPI_LOG_DBG2(ndpi_struct, + "GNUTELLA UDP PORT1 DETECTED as %u\n", src->detected_gnutella_udp_port1); } else if ((ntohs(packet->udp->source) != src->detected_gnutella_udp_port1) && !src->detected_gnutella_udp_port2) { src->detected_gnutella_udp_port2 = (packet->udp->source); - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, - NDPI_LOG_DEBUG, "GNUTELLA UDP PORT2 DETECTED as %u\n", - src->detected_gnutella_udp_port2); + NDPI_LOG_DBG2(ndpi_struct, + "GNUTELLA UDP PORT2 DETECTED as %u\n", src->detected_gnutella_udp_port2); } } @@ -71,16 +72,17 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru struct ndpi_id_struct *dst = flow->dst; u_int16_t c; + + NDPI_LOG_DBG(ndpi_struct, "search GNUTELLA\n"); + if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_GNUTELLA) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, - NDPI_LOG_DEBUG, "gnutella : save src connection packet detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "save src connection packet detected\n"); src->gnutella_ts = packet->tick_timestamp; } else if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->gnutella_ts) < ndpi_struct->gnutella_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, - NDPI_LOG_DEBUG, "gnutella : save dst connection packet detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "save dst connection packet detected\n"); dst->gnutella_ts = packet->tick_timestamp; } if (src != NULL && (packet->tick_timestamp - src->gnutella_ts) > ndpi_struct->gnutella_timeout) { @@ -102,13 +104,11 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (packet->tcp != NULL) { /* this case works asymmetrically */ if (packet->payload_packet_len > 10 && memcmp(packet->payload, "GNUTELLA/", 9) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } /* this case works asymmetrically */ if (packet->payload_packet_len > 17 && memcmp(packet->payload, "GNUTELLA CONNECT/", 17) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "GNUTELLA DETECTED\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -123,7 +123,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru || (packet->line[c].len > 7 && memcmp(packet->line[c].ptr, "X-Queue:", 8) == 0) || (packet->line[c].len > 36 && memcmp(packet->line[c].ptr, "Content-Type: application/x-gnutella-", 37) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "DETECTED GNUTELLA GET.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -135,7 +134,6 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru && memcmp(packet->user_agent_line.ptr, "BearShare Lite ", 15) == 0) || (packet->accept_line.ptr != NULL && packet->accept_line.len > 24 && memcmp(packet->accept_line.ptr, "application n/x-gnutella", 24) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "DETECTED GNUTELLA GET.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); } @@ -151,8 +149,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru } if (c < (packet->payload_packet_len - 9) && memcmp(&packet->payload[c], "urn:sha1:", 9) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, - "detected GET /get/ or GET /uri-res/.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected GET /get/ or GET /uri-res/\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); } @@ -161,14 +158,14 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru /* answer to this packet is HTTP/1.1 ..... Content-Type: application/x-gnutella-packets, * it is searched in the upper paragraph. */ if (packet->payload_packet_len > 30 && memcmp(packet->payload, "HEAD /gnutella/push-proxy?", 26) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected HEAD /gnutella/push-proxy?\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected HEAD /gnutella/push-proxy?\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } /* haven't found any trace with this pattern */ if (packet->payload_packet_len == 46 && memcmp(packet->payload, "\x50\x55\x53\x48\x20\x67\x75\x69\x64\x3a", 10) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, + NDPI_LOG_DBG2(ndpi_struct, "detected \x50\x55\x53\x48\x20\x67\x75\x69\x64\x3a\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; @@ -189,8 +186,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru 44) == 0) || (end - c > 10 && memcmp(&packet->payload[c], "\r\nX-Queue:", 10) == 0) || (end - c > 13 && memcmp(&packet->payload[c], "\r\nX-Features:", 13) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, - ndpi_struct, NDPI_LOG_TRACE, "FOXY :: GNUTELLA GET 2 DETECTED\n"); + NDPI_LOG_DBG2(ndpi_struct, "FOXY :: GNUTELLA GET 2 DETECTED\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -202,7 +198,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (packet->payload_packet_len > 1 && packet->payload[packet->payload_packet_len - 1] == 0x0a && packet->payload[packet->payload_packet_len - 2] == 0x0a) { if (packet->payload_packet_len > 3 && memcmp(packet->payload, "GIV", 3) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "MORPHEUS GIV DETECTED\n"); + NDPI_LOG_DBG2(ndpi_struct, "MORPHEUS GIV DETECTED\n"); /* Not Excluding the flow now.. We shall Check the next Packet too for Gnutella Patterns */ return; } @@ -211,21 +207,21 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (packet->payload_packet_len == 46 && get_u_int32_t(packet->payload, 0) == htonl(0x802c0103) && get_u_int32_t(packet->payload, 4) == htonl(0x01000300) && get_u_int32_t(packet->payload, 8) == htonl(0x00002000) && get_u_int16_t(packet->payload, 12) == htons(0x0034)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected gnutella len == 46.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella len == 46\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 49 && memcmp(packet->payload, "\x80\x2f\x01\x03\x01\x00\x06\x00\x00\x00\x20\x00\x00\x34\x00\x00\xff\x4d\x6c", 19) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected gnutella len == 49.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella len == 49\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 89 && memcmp(&packet->payload[43], "\x20\x4d\x6c", 3) == 0 && memcmp(packet->payload, "\x16\x03\x01\x00\x54\x01\x00\x00\x50\x03\x01\x4d\x6c", 13) == 0 && memcmp(&packet->payload[76], "\x00\x02\x00\x34\x01\x00\x00\x05", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella asymmetrically len == 388.\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; @@ -235,7 +231,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru && get_u_int16_t(packet->payload, 8) == htons(0x4903) && get_u_int16_t(packet->payload, 76) == htons(0x0002) && get_u_int32_t(packet->payload, 78) == htonl(0x00340100)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_TRACE, "detected len == 82.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected len == 82\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -244,7 +240,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if (src != NULL && (packet->udp->source == src->detected_gnutella_udp_port1 || packet->udp->source == src->detected_gnutella_udp_port2) && (packet->tick_timestamp - src->gnutella_ts) < ndpi_struct->gnutella_timeout) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, "port based detection\n\n"); + NDPI_LOG_DBG2(ndpi_struct, "port based detection\n\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); } /* observations: @@ -257,8 +253,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru && packet->payload[16] == 0x41 && packet->payload[17] == 0x01 && packet->payload[18] == 0x00 && packet->payload[19] == 0x00 && packet->payload[20] == 0x00 && packet->payload[21] == 0x00 && packet->payload[22] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, len = 23.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, len = 23\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; @@ -267,29 +262,25 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru && packet->payload[26] == 0x50 && packet->payload[27] == 0x40 && packet->payload[28] == 0x83 && packet->payload[29] == 0x53 && packet->payload[30] == 0x43 && packet->payload[31] == 0x50 && packet->payload[32] == 0x41) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, len = 35.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, len = 35\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 32 && (memcmp(&packet->payload[16], "\x31\x01\x00\x09\x00\x00\x00\x4c\x49\x4d\x45", 11) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, len = 32.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, len = 32\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 34 && (memcmp(&packet->payload[25], "SCP@", 4) == 0) && (memcmp(&packet->payload[30], "DNA@", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, len = 34.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, len = 34\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } if ((packet->payload_packet_len == 73 || packet->payload_packet_len == 96) && memcmp(&packet->payload[32], "urn:sha1:", 9) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, len = 73,96.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, len = 73,96\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -308,8 +299,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru && (memcmp(&packet->payload[6], "\x01\x01\x5c\x1b\x50\x55\x53\x48\x48\x10", 10) == 0)) || (packet->payload_packet_len > 200 && packet->payload_packet_len < 300 && packet->payload[3] == 0x03) || (packet->payload_packet_len > 300 && (packet->payload[3] == 0x01 || packet->payload[3] == 0x03))) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, GND.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, GND\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -317,15 +307,13 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru if ((packet->payload_packet_len == 32) && memcmp(&packet->payload[16], "\x31\x01\x00\x09\x00\x00\x00", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, len = 32 ii.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, len = 32 ii\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } if ((packet->payload_packet_len == 23) && memcmp(&packet->payload[16], "\x00\x01\x00\x00\x00\x00\x00", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, NDPI_LOG_DEBUG, - "detected gnutella udp, len = 23 ii.\n"); + NDPI_LOG_DBG2(ndpi_struct, "detected gnutella udp, len = 23 ii\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -350,8 +338,7 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, - NDPI_LOG_TRACE, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); + NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } @@ -361,15 +348,14 @@ void ndpi_search_gnutella(struct ndpi_detection_module_struct *ndpi_struct, stru && flow->l4.tcp.gnutella_msg_id[1] == packet->payload[2] && flow->l4.tcp.gnutella_msg_id[2] == packet->payload[4] && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_GNUTELLA)) { - NDPI_LOG(NDPI_PROTOCOL_GNUTELLA, ndpi_struct, - NDPI_LOG_TRACE, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); + NDPI_LOG_DBG2(ndpi_struct, "GNUTELLA DETECTED due to message ID match (NEONet protocol)\n"); ndpi_int_gnutella_add_connection(ndpi_struct, flow); return; } } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GNUTELLA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/gtp.c b/src/lib/protocols/gtp.c index 88235f2a8..0bdc4d8ee 100644 --- a/src/lib/protocols/gtp.c +++ b/src/lib/protocols/gtp.c @@ -18,10 +18,14 @@ * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_GTP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GTP + +#include "ndpi_api.h" + struct gtp_header_generic { u_int8_t flags, message_type; u_int16_t message_len; @@ -50,7 +54,7 @@ static void ndpi_check_gtp(struct ndpi_detection_module_struct *ndpi_struct, str u_int16_t message_len = ntohs(gtp->message_len); if(message_len <= (payload_len-sizeof(struct gtp_header_generic))) { - NDPI_LOG(NDPI_PROTOCOL_GTP, ndpi_struct, NDPI_LOG_DEBUG, "Found gtp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found gtp\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_GTP, NDPI_PROTOCOL_UNKNOWN); return; } @@ -58,7 +62,7 @@ static void ndpi_check_gtp(struct ndpi_detection_module_struct *ndpi_struct, str } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -66,7 +70,7 @@ void ndpi_search_gtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_GTP, ndpi_struct, NDPI_LOG_DEBUG, "gtp detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search gtp\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_GTP) diff --git a/src/lib/protocols/guildwars.c b/src/lib/protocols/guildwars.c index 108e5ee05..7b6581851 100644 --- a/src/lib/protocols/guildwars.c +++ b/src/lib/protocols/guildwars.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_GUILDWARS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_GUILDWARS + +#include "ndpi_api.h" + static void ndpi_int_guildwars_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -35,35 +39,31 @@ static void ndpi_int_guildwars_add_connection(struct ndpi_detection_module_struc void ndpi_search_guildwars_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "search guildwars.\n"); + NDPI_LOG_DBG(ndpi_struct, "search guildwars\n"); if (packet->payload_packet_len == 64 && get_u_int16_t(packet->payload, 1) == ntohs(0x050c) && memcmp(&packet->payload[50], "@2&P", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "GuildWars version 29.350: found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 29.350\n"); ndpi_int_guildwars_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 16 && get_u_int16_t(packet->payload, 1) == ntohs(0x040c) && get_u_int16_t(packet->payload, 4) == ntohs(0xa672) && packet->payload[8] == 0x01 && packet->payload[12] == 0x04) { - NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "GuildWars version 29.350: found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 29.350\n"); ndpi_int_guildwars_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 21 && get_u_int16_t(packet->payload, 0) == ntohs(0x0100) && get_u_int32_t(packet->payload, 5) == ntohl(0xf1001000) && packet->payload[9] == 0x01) { - NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "GuildWars version 216.107.245.50: found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found GuildWars version 216.107.245.50\n"); ndpi_int_guildwars_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_GUILDWARS, ndpi_struct, NDPI_LOG_DEBUG, "exclude guildwars.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_GUILDWARS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/h323.c b/src/lib/protocols/h323.c index 31d578455..31c353a27 100644 --- a/src/lib/protocols/h323.c +++ b/src/lib/protocols/h323.c @@ -7,10 +7,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_H323 +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_H323 + +#include "ndpi_api.h" + + struct tpkt { u_int8_t version, reserved; u_int16_t len; @@ -21,10 +26,10 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; - NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "search H323.\n"); + NDPI_LOG_DBG(ndpi_struct, "search H323\n"); if(packet->tcp != NULL) { - NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "calculated dport over tcp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculated dport over tcp\n"); /* H323 */ if(packet->payload_packet_len >= 3 @@ -44,6 +49,7 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n /* ISO 8073/X.224 */ if((packet->payload[5] == 0xE0 /* CC Connect Request */) || (packet->payload[5] == 0xD0 /* CC Connect Confirm */)) { + NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RDP, NDPI_PROTOCOL_UNKNOWN); return; } @@ -52,23 +58,24 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n flow->l4.tcp.h323_valid_packets++; if(flow->l4.tcp.h323_valid_packets >= 2) { - NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); + NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); } } else { /* This is not H.323 */ - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_H323); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + return; } } } else if(packet->udp != NULL) { sport = ntohs(packet->udp->source), dport = ntohs(packet->udp->dest); - NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "calculated dport over udp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculated dport over udp\n"); if(packet->payload_packet_len >= 6 && packet->payload[0] == 0x80 && packet->payload[1] == 0x08 && (packet->payload[2] == 0xe7 || packet->payload[2] == 0x26) && packet->payload[4] == 0x00 && packet->payload[5] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); + NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); return; } @@ -77,19 +84,19 @@ void ndpi_search_h323(struct ndpi_detection_module_struct *ndpi_struct, struct n { if(packet->payload[0] == 0x16 && packet->payload[1] == 0x80 && packet->payload[4] == 0x06 && packet->payload[5] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); + NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); return; } else if(packet->payload_packet_len >= 20 && packet->payload_packet_len <= 117) { - NDPI_LOG(NDPI_PROTOCOL_H323, ndpi_struct, NDPI_LOG_DEBUG, "found H323 broadcast.\n"); + NDPI_LOG_INFO(ndpi_struct, "found H323 broadcast\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_H323, NDPI_PROTOCOL_UNKNOWN); return; } else { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_H323); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } diff --git a/src/lib/protocols/halflife2_and_mods.c b/src/lib/protocols/halflife2_and_mods.c index 365ea21b5..5319424fa 100644 --- a/src/lib/protocols/halflife2_and_mods.c +++ b/src/lib/protocols/halflife2_and_mods.c @@ -23,9 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_HALFLIFE2 +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HALFLIFE2 + +#include "ndpi_api.h" + static void ndpi_int_halflife2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -36,15 +41,14 @@ void ndpi_search_halflife2(struct ndpi_detection_module_struct *ndpi_struct, str { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search halflife2\n"); if (flow->l4.udp.halflife2_stage == 0) { if (packet->payload_packet_len >= 20 && get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0x30303000)) { flow->l4.udp.halflife2_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_HALFLIFE2, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "halflife2 client req detected, waiting for server reply\n"); return; } @@ -53,13 +57,12 @@ void ndpi_search_halflife2(struct ndpi_detection_module_struct *ndpi_struct, str && get_u_int32_t(packet->payload, 0) == 0xFFFFFFFF && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) == htonl(0x30303000)) { ndpi_int_halflife2_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_HALFLIFE2, ndpi_struct, NDPI_LOG_DEBUG, "halflife2 server reply detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found halflife2\n"); return; } } - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HALFLIFE2); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/hangout.c b/src/lib/protocols/hangout.c index 4555c6c75..de35653ea 100644 --- a/src/lib/protocols/hangout.c +++ b/src/lib/protocols/hangout.c @@ -17,10 +17,16 @@ * If not, see . * */ -#include "ndpi_api.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_HANGOUT +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HANGOUT + +#include "ndpi_api.h" + + /* https://support.google.com/a/answer/1279090?hl=en */ #define HANGOUT_UDP_LOW_PORT 19302 #define HANGOUT_UDP_HIGH_PORT 19309 @@ -73,19 +79,20 @@ void ndpi_search_hangout(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct * packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search Hangout\n"); + if((packet->payload_packet_len > 24) && is_google_flow(ndpi_struct, flow)) { if( ((packet->udp != NULL) && (isHangoutUDPPort(ntohs(packet->udp->source)) || isHangoutUDPPort(ntohs(packet->udp->dest)))) || ((packet->tcp != NULL) && (isHangoutTCPPort(ntohs(packet->tcp->source)) || isHangoutTCPPort(ntohs(packet->tcp->dest))))) { - NDPI_LOG(NDPI_PROTOCOL_HANGOUT, ndpi_struct, NDPI_LOG_DEBUG, "Found Hangout.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Hangout\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HANGOUT, NDPI_PROTOCOL_UNKNOWN); return; } } - NDPI_LOG(NDPI_PROTOCOL_HANGOUT, ndpi_struct, NDPI_LOG_DEBUG, "No Hangout.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HANGOUT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } /* ***************************************************************** */ diff --git a/src/lib/protocols/hep.c b/src/lib/protocols/hep.c index 516e430e7..1c7617c88 100644 --- a/src/lib/protocols/hep.c +++ b/src/lib/protocols/hep.c @@ -24,9 +24,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_HEP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HEP + +#include "ndpi_api.h" + + static void ndpi_int_hep_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -39,17 +45,16 @@ void ndpi_search_hep(struct ndpi_detection_module_struct *ndpi_struct, struct nd const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "searching for HEP.\n"); + NDPI_LOG_DBG(ndpi_struct, "searching HEP\n"); if (payload_len > 10) { if (memcmp(packet_payload, "HEP3", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "found HEP3.\n"); + NDPI_LOG_INFO(ndpi_struct, "found HEP3\n"); ndpi_int_hep_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_HEP, ndpi_struct, NDPI_LOG_DEBUG, "exclude HEP.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HEP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/http.c b/src/lib/protocols/http.c index c57c73aac..1d12ea2e9 100644 --- a/src/lib/protocols/http.c +++ b/src/lib/protocols/http.c @@ -20,10 +20,15 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_HTTP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HTTP + +#include "ndpi_api.h" + /* global variables used for 1kxun protocol and iqiyi service */ @@ -63,7 +68,7 @@ static void flash_check_http_payload(struct ndpi_detection_module_struct if(memcmp(pos, "FLV", 3) == 0 && pos[3] == 0x01 && (pos[4] == 0x01 || pos[4] == 0x04 || pos[4] == 0x05) && pos[5] == 0x00 && pos[6] == 0x00 && pos[7] == 0x00 && pos[8] == 0x09) { - NDPI_LOG(NDPI_CONTENT_FLASH, ndpi_struct, NDPI_LOG_DEBUG, "Flash content in HTTP detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found Flash content in HTTP\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_FLASH); } } @@ -75,7 +80,7 @@ static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_str struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_CONTENT_AVI, ndpi_struct, NDPI_LOG_DEBUG, "called avi_check_http_payload: %u %u %u\n", + NDPI_LOG_DBG2(ndpi_struct, "called avi_check_http_payload: %u %u %u\n", packet->empty_line_position_set, flow->l4.tcp.http_empty_line_seen, packet->empty_line_position); if(packet->empty_line_position_set == 0 && flow->l4.tcp.http_empty_line_seen == 0) @@ -90,7 +95,7 @@ static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_str if(flow->l4.tcp.http_empty_line_seen == 1) { if(packet->payload_packet_len > 20 && memcmp(packet->payload, "RIFF", 4) == 0 && memcmp(packet->payload + 8, "AVI LIST", 8) == 0) { - NDPI_LOG(NDPI_CONTENT_AVI, ndpi_struct, NDPI_LOG_DEBUG, "Avi content in HTTP detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found Avi content in HTTP\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_AVI); } flow->l4.tcp.http_empty_line_seen = 0; @@ -105,11 +110,11 @@ static void avi_check_http_payload(struct ndpi_detection_module_struct *ndpi_str u_int32_t p = packet->empty_line_position + 2; // check for avi header - NDPI_LOG(NDPI_CONTENT_AVI, ndpi_struct, NDPI_LOG_DEBUG, "p = %u\n", p); + NDPI_LOG_DBG2(ndpi_struct, "p = %u\n", p); if((p + 16) <= packet->payload_packet_len && memcmp(&packet->payload[p], "RIFF", 4) == 0 && memcmp(&packet->payload[p + 8], "AVI LIST", 8) == 0) { - NDPI_LOG(NDPI_CONTENT_AVI, ndpi_struct, NDPI_LOG_DEBUG, "Avi content in HTTP detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found Avi content in HTTP\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_AVI); } } @@ -122,7 +127,7 @@ static void teamviewer_check_http_payload(struct ndpi_detection_module_struct *n struct ndpi_packet_struct *packet = &flow->packet; const u_int8_t *pos; - NDPI_LOG(NDPI_PROTOCOL_TEAMVIEWER, ndpi_struct, NDPI_LOG_DEBUG, "called teamviewer_check_http_payload: %u %u %u\n", + NDPI_LOG_DBG2(ndpi_struct, "called teamviewer_check_http_payload: %u %u %u\n", packet->empty_line_position_set, flow->l4.tcp.http_empty_line_seen, packet->empty_line_position); if(packet->empty_line_position_set == 0 || (packet->empty_line_position + 5) > (packet->payload_packet_len)) @@ -131,7 +136,7 @@ static void teamviewer_check_http_payload(struct ndpi_detection_module_struct *n pos = &packet->payload[packet->empty_line_position] + 2; if(pos[0] == 0x17 && pos[1] == 0x24) { - NDPI_LOG(NDPI_PROTOCOL_TEAMVIEWER, ndpi_struct, NDPI_LOG_DEBUG, "TeamViewer content in HTTP detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found TeamViewer content in HTTP\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER); } } @@ -145,7 +150,7 @@ static void rtsp_parse_packet_acceptline(struct ndpi_detection_module_struct struct ndpi_packet_struct *packet = &flow->packet; if(packet->accept_line.len >= 28 && memcmp(packet->accept_line.ptr, "application/x-rtsp-tunnelled", 28) == 0) { - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_DEBUG, "RTSP accept line detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found RTSP accept line\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_RTSP); } } @@ -199,12 +204,12 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* PPStream */ if(flow->l4.tcp.ppstream_stage > 0 && flow->iqiyi_counter == 0) { - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "PPStream found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found PPStream\n"); /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM); */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_HTTP); } else if(flow->iqiyi_counter > 0) { - NDPI_LOG(NDPI_PROTOCOL_IQIYI, ndpi_struct, NDPI_LOG_DEBUG, "iQiyi found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found iQiyi\n"); /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI); */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_IQIYI, NDPI_PROTOCOL_HTTP); } @@ -213,7 +218,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ #if defined(NDPI_PROTOCOL_1KXUN) || defined(NDPI_PROTOCOL_IQIYI) /* 1KXUN */ if(flow->kxun_counter > 0) { - NDPI_LOG(NDPI_PROTOCOL_1KXUN, ndpi_struct, NDPI_LOG_DEBUG, "1kxun found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found 1kxun\n"); /* ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN); */ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_1KXUN, NDPI_PROTOCOL_HTTP); } @@ -330,12 +335,13 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ } } else if(memcmp(ua, "netflix-ios-app", 15) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found netflix\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_NETFLIX); return; } } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "User Agent Type line found %.*s\n", + NDPI_LOG_DBG2(ndpi_struct, "User Agent Type line found %.*s\n", packet->user_agent_line.len, packet->user_agent_line.ptr); } @@ -343,7 +349,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(packet->host_line.ptr != NULL) { u_int len; - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HOST line found %.*s\n", + NDPI_LOG_DBG2(ndpi_struct, "HOST line found %.*s\n", packet->host_line.len, packet->host_line.ptr); /* call ndpi_match_host_subprotocol to see if there is a match with known-host HTTP subprotocol */ @@ -395,6 +401,8 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ if(flow->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_HTTP) { + NDPI_LOG_INFO(ndpi_struct, "found HTTP/%s\n", + ndpi_get_proto_name(ndpi_struct, packet->detected_protocol_stack[0])); ndpi_int_http_add_connection(ndpi_struct, flow, packet->detected_protocol_stack[0]); return; /* We have identified a sub-protocol so we're done */ } @@ -409,7 +417,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ /* check for accept line */ if(packet->accept_line.ptr != NULL) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Accept line found %.*s\n", + NDPI_LOG_DBG2(ndpi_struct, "Accept line found %.*s\n", packet->accept_line.len, packet->accept_line.ptr); #ifdef NDPI_PROTOCOL_RTSP if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_PROTOCOL_RTSP) != 0) { @@ -422,7 +430,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ #ifdef NDPI_CONTENT_MPEG for (a = 0; a < packet->parsed_lines; a++) { if(packet->line[a].len > 11 && memcmp(packet->line[a].ptr, "Icy-MetaData", 12) == 0) { - NDPI_LOG(NDPI_CONTENT_MPEG, ndpi_struct, NDPI_LOG_DEBUG, "MPEG: Icy-MetaData found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MPEG: Icy-MetaData\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_CONTENT_MPEG); return; } @@ -432,7 +440,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ #endif if(packet->content_line.ptr != NULL && packet->content_line.len != 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Content Type line found %.*s\n", + NDPI_LOG_DBG2(ndpi_struct, "Content Type line found %.*s\n", packet->content_line.len, packet->content_line.ptr); if((ndpi_struct->http_dont_dissect_response) || flow->http_detected) @@ -444,7 +452,7 @@ static void check_content_type_and_change_protocol(struct ndpi_detection_module_ static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "called check_http_payload.\n"); + NDPI_LOG_DBG2(ndpi_struct, "called check_http_payload\n"); #ifdef NDPI_CONTENT_FLASH if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(ndpi_struct->detection_bitmask, NDPI_CONTENT_FLASH) != 0) @@ -466,54 +474,55 @@ static void check_http_payload(struct ndpi_detection_module_struct *ndpi_struct, * @returnvalue 0 if no valid request has been found * @returnvalue >0 indicates start of filename but not necessarily in packet limit */ + +#define STATIC_STRING_L(a) {.str=a, .len=sizeof(a)-1 } + +static struct l_string { + const char *str; + size_t len; +} http_methods[] = { + STATIC_STRING_L("GET "), + STATIC_STRING_L("POST "), + STATIC_STRING_L("OPTIONS "), + STATIC_STRING_L("HEAD "), + STATIC_STRING_L("PUT "), + STATIC_STRING_L("DELETE "), + STATIC_STRING_L("CONNECT "), + STATIC_STRING_L("PROPFIND "), + STATIC_STRING_L("REPORT ") }; +static const char *http_fs = "CDGHOPR"; + +static inline uint8_t non_ctrl(uint8_t c) { + return c < 32 ? '.':c; +} + static u_int16_t http_request_url_offset(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + int i; - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> HTTP: %c%c%c%c [len: %u]\n", - packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], + NDPI_LOG_DBG2(ndpi_struct, "====>>>> HTTP: %c%c%c%c [len: %u]\n", + non_ctrl(packet->payload[0]), non_ctrl(packet->payload[1]), + non_ctrl(packet->payload[2]), non_ctrl(packet->payload[3]), packet->payload_packet_len); + /* Check first char */ + if(!strchr(http_fs,packet->payload[0])) return 0; /** FIRST PAYLOAD PACKET FROM CLIENT **/ - - /* check if the packet starts with POST or GET */ - if(packet->payload_packet_len >= 4 && memcmp(packet->payload, "GET ", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: GET FOUND\n"); - return 4; - } else if(packet->payload_packet_len >= 5 && memcmp(packet->payload, "POST ", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: POST FOUND\n"); - return 5; - } else if(packet->payload_packet_len >= 8 && memcmp(packet->payload, "OPTIONS ", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: OPTIONS FOUND\n"); - return 8; - } else if(packet->payload_packet_len >= 5 && memcmp(packet->payload, "HEAD ", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: HEAD FOUND\n"); - return 5; - } else if(packet->payload_packet_len >= 4 && memcmp(packet->payload, "PUT ", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: PUT FOUND\n"); - return 4; - } else if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "DELETE ", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: DELETE FOUND\n"); - return 7; - } else if(packet->payload_packet_len >= 8 && memcmp(packet->payload, "CONNECT ", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: CONNECT FOUND\n"); - return 8; - } else if(packet->payload_packet_len >= 9 && memcmp(packet->payload, "PROPFIND ", 9) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: PROFIND FOUND\n"); - return 9; - } else if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "REPORT ", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REPORT FOUND\n"); - return 7; + for(i=0; i < sizeof(http_methods)/sizeof(http_methods[0]); i++) { + if(packet->payload_packet_len >= http_methods[i].len && + memcmp(packet->payload,http_methods[i].str,http_methods[i].len) == 0) { + NDPI_LOG_DBG2(ndpi_struct, "HTTP: %sFOUND\n",http_methods[i].str); + return http_methods[i].len; + } } - return 0; } -static void http_bitmask_exclude(struct ndpi_flow_struct *flow) +static void http_bitmask_exclude_other(struct ndpi_flow_struct *flow) { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP); #ifdef NDPI_CONTENT_MPEG NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_MPEG); #endif @@ -554,18 +563,15 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if(flow->l4.tcp.http_stage == 0) { /* Expected a request */ flow->http_detected = 0; - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %d: \n", - flow->l4.tcp.http_stage); + NDPI_LOG_DBG2(ndpi_struct, "HTTP stage %d: \n", flow->l4.tcp.http_stage); filename_start = http_request_url_offset(ndpi_struct, flow); if(filename_start == 0) { /* not a regular request. In the HTTP first stage, may be a truncated flow or other protocols */ - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "Filename HTTP not found, we look for possible truncate flow...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Filename HTTP not found, we look for possible truncate flow..\n"); if(packet->payload_packet_len >= 7 && memcmp(packet->payload, "HTTP/1.", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP response found (truncated flow ?)\n"); + NDPI_LOG_INFO(ndpi_struct, "found HTTP response\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); return; @@ -589,18 +595,18 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct return; } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Exclude HTTP\n"); - http_bitmask_exclude(flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + http_bitmask_exclude_other(flow); return; } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "Filename HTTP found: %d, we look for line info..\n", filename_start); ndpi_parse_packet_line_info(ndpi_struct, flow); if(packet->parsed_lines <= 1) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "Found just one line, we will look further for the next packet...\n"); packet->http_method.ptr = packet->line[0].ptr; @@ -611,7 +617,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct return; } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "Found more than one line, we look further for the next packet...\n"); if(packet->line[0].len >= (9 + filename_start) @@ -643,6 +649,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct /* Check for additional field introduced by Steam */ int x = 1; if((memcmp(packet->line[x].ptr, "x-steam-sid", 11)) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_STEAM); check_content_type_and_change_protocol(ndpi_struct, flow); return; @@ -652,6 +659,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct x = 1; while(packet->line[x].len != 0) { if(packet->line[x].len >= 12 && (memcmp(packet->line[x].ptr, "X-FB-SIM-HNI", 12)) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found FACEBOOK\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_FACEBOOK); check_content_type_and_change_protocol(ndpi_struct, flow); return; @@ -704,19 +712,19 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if((packet->http_url_name.len > 7) && (!strncmp((const char*) packet->http_url_name.ptr, "http://", 7))) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP_PROXY Found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found HTTP_PROXY\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_PROXY); check_content_type_and_change_protocol(ndpi_struct, flow); } if(filename_start == 8 && (memcmp(packet->payload, "CONNECT ", 8) == 0)) { /* nathan@getoffmalawn.com */ - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP_CONNECT Found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found HTTP_CONNECT\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_CONNECT); check_content_type_and_change_protocol(ndpi_struct, flow); } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "HTTP START Found, we will look for sub-protocols (content and host)...\n"); if(packet->host_line.ptr != NULL) { @@ -729,10 +737,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if(ndpi_struct->http_dont_dissect_response) { if(flow->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) /* No subprotocol found */ + NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); } else { flow->http_detected = 1; - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "HTTP START Found, we will look further for the response...\n"); flow->l4.tcp.http_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 } @@ -742,13 +751,12 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP: REQUEST NOT HTTP CONFORM\n"); - http_bitmask_exclude(flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + http_bitmask_exclude_other(flow); } else if((flow->l4.tcp.http_stage == 1) || (flow->l4.tcp.http_stage == 2)) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP stage %u: \n", - flow->l4.tcp.http_stage); + NDPI_LOG_DBG2(ndpi_struct, "HTTP stage %u: \n", flow->l4.tcp.http_stage); if(flow->l4.tcp.http_stage == 1) { @@ -769,7 +777,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if(flow->http_detected) return; - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, " SECOND PAYLOAD TRAFFIC FROM CLIENT, FIRST PACKET MIGHT HAVE BEEN HTTP...UNKNOWN TRAFFIC, HERE FOR HTTP again.. \n"); ndpi_parse_packet_line_info(ndpi_struct, flow); @@ -780,14 +788,13 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->parsed_lines <= 1) { /* wait some packets in case request is split over more than 2 packets */ if(flow->packet_counter < 5) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "line still not finished, search next packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "line still not finished, search next packet\n"); return; } else { /* stop parsing here */ - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, - "HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n"); - http_bitmask_exclude(flow); + NDPI_LOG_DBG2(ndpi_struct, "exclude HTTP: PACKET DOES NOT HAVE A LINE STRUCTURE\n"); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + http_bitmask_exclude_other(flow); return; } } @@ -795,11 +802,11 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct if(packet->line[0].len >= 9 && memcmp(&packet->line[0].ptr[packet->line[0].len - 9], " HTTP/1.", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Found HTTP.\n"); + NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "HTTP START Found in 2. packet, we will look further for the response....\n"); flow->http_detected = 1; } @@ -817,15 +824,17 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct */ if((packet->parsed_lines == 1) && (packet->packet_direction == 1 /* server -> client */)) { /* In Apache if you do "GET /\n\n" the response comes without any header */ - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Found HTTP. (apache)\n"); + NDPI_LOG_INFO(ndpi_struct, "found HTTP. (apache)\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); check_content_type_and_change_protocol(ndpi_struct, flow); return; } /* If we already detected the HTTP request, we can add the connection and then check for the sub-protocol */ - if(flow->http_detected) + if(flow->http_detected) { + NDPI_LOG_INFO(ndpi_struct, "found HTTP\n"); ndpi_int_http_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_HTTP); + } /* Parse packet line and we look for the subprotocols */ ndpi_parse_packet_line_info(ndpi_struct, flow); @@ -836,7 +845,7 @@ static void ndpi_check_http_tcp(struct ndpi_detection_module_struct *ndpi_struct } if(packet->empty_line_position_set != 0 || flow->l4.tcp.http_empty_line_seen == 1) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "empty line. check_http_payload.\n"); + NDPI_LOG_DBG2(ndpi_struct, "empty line. check_http_payload\n"); check_http_payload(ndpi_struct, flow); } @@ -852,8 +861,8 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, /* Break after 20 packets. */ if(flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "Exclude HTTP.\n"); - http_bitmask_exclude(flow); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + http_bitmask_exclude_other(flow); return; } @@ -861,7 +870,7 @@ void ndpi_search_http_tcp(struct ndpi_detection_module_struct *ndpi_struct, return; } - NDPI_LOG(NDPI_PROTOCOL_HTTP, ndpi_struct, NDPI_LOG_DEBUG, "HTTP detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search HTTP\n"); ndpi_check_http_tcp(ndpi_struct, flow); } diff --git a/src/lib/protocols/http_activesync.c b/src/lib/protocols/http_activesync.c index 8f17af8d6..55451f6bf 100644 --- a/src/lib/protocols/http_activesync.c +++ b/src/lib/protocols/http_activesync.c @@ -24,8 +24,14 @@ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC + +#include "ndpi_api.h" + static void ndpi_int_activesync_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, NDPI_PROTOCOL_HTTP); @@ -35,20 +41,19 @@ void ndpi_search_activesync(struct ndpi_detection_module_struct *ndpi_struct, st { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search activesync\n"); if (packet->tcp != NULL) { if (packet->payload_packet_len > 150 && ((memcmp(packet->payload, "OPTIONS /Microsoft-Server-ActiveSync?", 37) == 0) || (memcmp(packet->payload, "POST /Microsoft-Server-ActiveSync?", 34) == 0))) { ndpi_int_activesync_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, ndpi_struct, NDPI_LOG_DEBUG, - " flow marked as ActiveSync \n"); + NDPI_LOG_INFO(ndpi_struct, "found ActiveSync \n"); return; } } - NDPI_LOG(NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC, ndpi_struct, NDPI_LOG_DEBUG, "exclude activesync\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP_APPLICATION_ACTIVESYNC); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/iax.c b/src/lib/protocols/iax.c index 84e039c2b..7f6e960f1 100644 --- a/src/lib/protocols/iax.c +++ b/src/lib/protocols/iax.c @@ -23,10 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_IAX +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_IAX + +#include "ndpi_api.h" + + #define NDPI_IAX_MAX_INFORMATION_ELEMENTS 15 static void ndpi_int_iax_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -58,7 +63,7 @@ static void ndpi_search_setup_iax(struct ndpi_detection_module_struct *ndpi_stru && packet->payload[11] <= 15) { if (packet->payload_packet_len == 12) { - NDPI_LOG(NDPI_PROTOCOL_IAX, ndpi_struct, NDPI_LOG_DEBUG, "found IAX.\n"); + NDPI_LOG_INFO(ndpi_struct, "found IAX\n"); ndpi_int_iax_add_connection(ndpi_struct, flow); return; } @@ -66,7 +71,7 @@ static void ndpi_search_setup_iax(struct ndpi_detection_module_struct *ndpi_stru for (i = 0; i < NDPI_IAX_MAX_INFORMATION_ELEMENTS; i++) { packet_len = packet_len + 2 + packet->payload[packet_len + 1]; if (packet_len == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_IAX, ndpi_struct, NDPI_LOG_DEBUG, "found IAX.\n"); + NDPI_LOG_INFO(ndpi_struct, "found IAX\n"); ndpi_int_iax_add_connection(ndpi_struct, flow); return; } @@ -77,16 +82,13 @@ static void ndpi_search_setup_iax(struct ndpi_detection_module_struct *ndpi_stru } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IAX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_iax(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_flow_struct *flow=ndpi_struct->flow; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; if(packet->udp && (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN)) diff --git a/src/lib/protocols/icecast.c b/src/lib/protocols/icecast.c index 3e89cc043..23aca33e9 100644 --- a/src/lib/protocols/icecast.c +++ b/src/lib/protocols/icecast.c @@ -22,11 +22,14 @@ * */ - -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_ICECAST +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ICECAST + +#include "ndpi_api.h" + static void ndpi_int_icecast_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ICECAST, NDPI_PROTOCOL_UNKNOWN); @@ -37,17 +40,17 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s struct ndpi_packet_struct *packet = &flow->packet; u_int8_t i; - NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "search icecast.\n"); + NDPI_LOG_DBG(ndpi_struct, "search icecast\n"); if ((packet->payload_packet_len < 500 && packet->payload_packet_len >= 7 && memcmp(packet->payload, "SOURCE ", 7) == 0) || flow->l4.tcp.icecast_stage) { ndpi_parse_packet_line_info_any(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast lines=%d\n", packet->parsed_lines); + NDPI_LOG_DBG2(ndpi_struct, "Icecast lines=%d\n", packet->parsed_lines); for (i = 0; i < packet->parsed_lines; i++) { if (packet->line[i].ptr != NULL && packet->line[i].len > 4 && memcmp(packet->line[i].ptr, "ice-", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Icecast\n"); ndpi_int_icecast_add_connection(ndpi_struct, flow); return; } @@ -75,18 +78,17 @@ void ndpi_search_icecast_tcp(struct ndpi_detection_module_struct *ndpi_struct, s if (packet->server_line.ptr != NULL && packet->server_line.len > NDPI_STATICSTRING_LEN("Icecast") && memcmp(packet->server_line.ptr, "Icecast", NDPI_STATICSTRING_LEN("Icecast")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast detected.\n"); /* TODO maybe store the previous protocol type as subtype? * e.g. ogg or mpeg */ + NDPI_LOG_INFO(ndpi_struct, "found Icecast\n"); ndpi_int_icecast_add_connection(ndpi_struct, flow); return; } } icecast_exclude: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ICECAST); - NDPI_LOG(NDPI_PROTOCOL_ICECAST, ndpi_struct, NDPI_LOG_DEBUG, "Icecast excluded.\n"); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/ipp.c b/src/lib/protocols/ipp.c index 2135f297f..fcf25a758 100644 --- a/src/lib/protocols/ipp.c +++ b/src/lib/protocols/ipp.c @@ -22,11 +22,15 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_IPP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_IPP + +#include "ndpi_api.h" + + static void ndpi_int_ipp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) { @@ -36,22 +40,20 @@ static void ndpi_int_ipp_add_connection(struct ndpi_detection_module_struct *ndp void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int8_t i; - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "search ipp\n"); + NDPI_LOG_DBG(ndpi_struct, "search ipp\n"); + if (packet->payload_packet_len > 20) { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "searching for a payload with a pattern like 'number(1to8)blanknumber(1to3)ipp://.\n"); /* this pattern means that there is a printer saying that his state is idle, * means that he is not printing anything at the moment */ i = 0; if (packet->payload[i] < '0' || packet->payload[i] > '9') { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "payload does not begin with a number.\n"); + NDPI_LOG_DBG2(ndpi_struct, "payload does not begin with a number\n"); goto search_for_next_pattern; } @@ -60,37 +62,37 @@ void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct nd if (!((packet->payload[i] >= '0' && packet->payload[i] <= '9') || (packet->payload[i] >= 'a' && packet->payload[i] <= 'f') || (packet->payload[i] >= 'A' && packet->payload[i] <= 'F')) || i > 8) { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "read symbols while the symbol is a number.\n"); break; } } if (packet->payload[i++] != ' ') { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "there is no blank following the number.\n"); + NDPI_LOG_DBG2(ndpi_struct, "there is no blank following the number\n"); goto search_for_next_pattern; } if (packet->payload[i] < '0' || packet->payload[i] > '9') { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "no number following the blank.\n"); + NDPI_LOG_DBG2(ndpi_struct, "no number following the blank\n"); goto search_for_next_pattern; } for (;;) { i++; if (packet->payload[i] < '0' || packet->payload[i] > '9' || i > 12) { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "read symbols while the symbol is a number.\n"); break; } } if (memcmp(&packet->payload[i], " ipp://", 7) != 0) { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "the string ' ipp://' does not follow.\n"); + NDPI_LOG_DBG2(ndpi_struct, "the string ' ipp://' does not follow\n"); goto search_for_next_pattern; } - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "found ipp\n"); + NDPI_LOG_INFO(ndpi_struct, "found ipp\n"); ndpi_int_ipp_add_connection(ndpi_struct, flow); return; } @@ -101,13 +103,12 @@ void ndpi_search_ipp(struct ndpi_detection_module_struct *ndpi_struct, struct nd ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->content_line.ptr != NULL && packet->content_line.len > 14 && memcmp(packet->content_line.ptr, "application/ipp", 15) == 0) { - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "found ipp via POST ... application/ipp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found ipp via POST ... application/ipp\n"); ndpi_int_ipp_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_IPP, ndpi_struct, NDPI_LOG_DEBUG, "no ipp detected.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IPP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/irc.c b/src/lib/protocols/irc.c index b2b73ac5f..2cadf0a32 100644 --- a/src/lib/protocols/irc.c +++ b/src/lib/protocols/irc.c @@ -23,9 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_IRC + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_IRC + +#include "ndpi_api.h" + #define NDPI_IRC_FIND_LESS(time_err,less) {int t1 = 0; \ u_int32_t timestamp = time_err[0]; \ for(t1=0;t1 < NDPI_PROTOCOL_IRC_MAXPORT;t1++) { \ @@ -65,7 +70,7 @@ static u_int8_t ndpi_check_for_NOTICE_or_PRIVMSG(struct ndpi_detection_module_st for (i = 0; i < packet->payload_packet_len - 7; i++) { if (packet->payload[i] == 'N' || packet->payload[i] == 'P') { if (memcmp(&packet->payload[i + 1], "OTICE ", 6) == 0 || memcmp(&packet->payload[i + 1], "RIVMSG ", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "found NOTICE or PRIVMSG\n"); + NDPI_LOG_DBG2(ndpi_struct, "found NOTICE or PRIVMSG\n"); return 1; } } @@ -94,7 +99,7 @@ static u_int8_t ndpi_check_for_Nickname(struct ndpi_detection_module_struct *ndp if ((((packetl - (i + 1)) >= 4) && memcmp(&packet->payload[i + 1], "ick=", 4) == 0) || (((packetl - (i + 1)) >= 8) && (memcmp(&packet->payload[i + 1], "ickname=", 8) == 0)) || (((packetl - (i + 1)) >= 8) && (memcmp(&packet->payload[i + 1], "ickName=", 8) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "found HTTP IRC Nickname pattern\n"); + NDPI_LOG_DBG2(ndpi_struct, "found HTTP IRC Nickname pattern\n"); return 1; } } @@ -114,7 +119,7 @@ static u_int8_t ndpi_check_for_cmd(struct ndpi_detection_module_struct *ndpi_str for (i = 0; i < packet->payload_packet_len - 4; i++) { if (packet->payload[i] == 'c') { if (memcmp(&packet->payload[i + 1], "md=", 3) == 0) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "found HTTP IRC cmd pattern \n"); + NDPI_LOG_DBG2(ndpi_struct, "found HTTP IRC cmd pattern \n"); return 1; } } @@ -147,8 +152,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, - "called ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast\n"); + NDPI_LOG_DBG(ndpi_struct, "start fast detect\n"); /* case 1: len 1460, len 1460, len 1176 several times in one direction, than len = 4, 4096, 8192 in the other direction */ if (packet->payload_packet_len == 1460 @@ -174,7 +178,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && (ntohs(get_u_int16_t(packet->payload, 2)) == 0x1000 || ntohs(get_u_int16_t(packet->payload, 2)) == 0x2000)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1460,1460,1176,<-4096||8192"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1460,1460,1176,<-4096||8192"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -185,27 +189,27 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det 1 + packet->packet_direction))) { flow->l4.tcp.irc_stage2 = 4; flow->l4.tcp.irc_direction = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "len = 1448 first\n"); + NDPI_LOG_DBG2(ndpi_struct, "len = 1448 first\n"); return 1; } if (packet->payload_packet_len == 1448 && flow->l4.tcp.irc_stage2 == 4 && flow->l4.tcp.irc_direction == 1 + packet->packet_direction) { flow->l4.tcp.irc_stage2 = 5; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "len = 1448 second \n"); + NDPI_LOG_DBG2(ndpi_struct, "len = 1448 second \n"); return 1; } if (packet->payload_packet_len == 1200 && flow->l4.tcp.irc_stage2 == 5 && flow->l4.tcp.irc_direction == 1 + packet->packet_direction) { flow->l4.tcp.irc_stage2 = 6; flow->l4.tcp.irc_0x1000_full = 1; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "len = 1200 \n"); + NDPI_LOG_DBG2(ndpi_struct, "len = 1200 \n"); return 1; } if (packet->payload_packet_len == 4 && (flow->l4.tcp.irc_stage2 == 6 || flow->l4.tcp.irc_0x1000_full == 1) && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && (ntohs(get_u_int16_t(packet->payload, 2)) == 0x1000 || ntohs(get_u_int16_t(packet->payload, 2)) == 0x2000)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1448,1448,1200,<-4096||8192"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1448,1448,1200,<-4096||8192"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -222,7 +226,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && (ntohs(get_u_int16_t(packet->payload, 2)) == 1380 || ntohs(get_u_int16_t(packet->payload, 2)) == 2760)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1380,<-1380||2760"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1380,<-1380||2760"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -237,7 +241,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && (ntohs(get_u_int16_t(packet->payload, 2)) == 1200 || ntohs(get_u_int16_t(packet->payload, 2)) == 2400)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1200,<-1200||2400"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1200,<-1200||2400"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -252,7 +256,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && (ntohs(get_u_int16_t(packet->payload, 2)) == 1024 || ntohs(get_u_int16_t(packet->payload, 2)) == 2048)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1024,<-1024||2048"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1024,<-1024||2048"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -267,7 +271,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && (ntohs(get_u_int16_t(packet->payload, 2)) == 1248 || ntohs(get_u_int16_t(packet->payload, 2)) == 2496)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1248,<-1248||2496"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1248,<-1248||2496"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -282,7 +286,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && (ntohs(get_u_int16_t(packet->payload, 2)) == 1448 || ntohs(get_u_int16_t(packet->payload, 2)) == 2896)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1448,<-1448||2896"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1448,<-1448||2896"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -305,8 +309,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det if (packet->payload_packet_len == 4 && flow->l4.tcp.irc_stage2 == 14 && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && ntohs(get_u_int16_t(packet->payload, 2)) == 8192) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "IRC SSL detected: ->1448,1448,1448,1448,1448,952,<-8192"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1448,1448,1448,1448,1448,952,<-8192"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -339,8 +342,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det if (packet->payload_packet_len == 4 && flow->l4.tcp.irc_stage2 == 19 && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && ntohs(get_u_int16_t(packet->payload, 2)) == 7168) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "IRC SSL detected: ->1024,1448,1448,1200,1448,600,<-7168"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1024,1448,1448,1200,1448,600,<-7168"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; } @@ -353,7 +355,7 @@ u_int8_t ndpi_search_irc_ssl_detect_ninety_percent_but_very_fast(struct ndpi_det if (packet->payload_packet_len == 4 && flow->l4.tcp.irc_stage2 == 20 && flow->l4.tcp.irc_direction == 2 - packet->packet_direction && ntohs(get_u_int16_t(packet->payload, 2)) == 2404) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC SSL detected: ->1024,1380 <-2404"); + NDPI_LOG_INFO(ndpi_struct, "found IRC SSL: ->1024,1380 <-2404"); ndpi_int_irc_add_connection(ndpi_struct, flow); return 1; @@ -382,26 +384,26 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc u_int16_t http_content_ptr_len = 0; u_int8_t space = 0; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : search irc\n"); + NDPI_LOG_DBG(ndpi_struct, "search irc\n"); if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 70) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "exclude irc, packet_counter > 70\n"); + NDPI_LOG_DBG(ndpi_struct, "exclude irc, packet_counter > 70\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC); return; } if (flow->detected_protocol_stack[0] != NDPI_PROTOCOL_IRC && flow->packet_counter > 30 && flow->l4.tcp.irc_stage2 == 0) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "packet_counter > 30, exclude irc.\n"); + NDPI_LOG_DBG(ndpi_struct, "exclude irc, packet_counter > 30\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_IRC); return; } if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save src connection packet detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "irc : save src connection packet detected\n"); src->irc_ts = packet->tick_timestamp; } else if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->irc_ts) < ndpi_struct->irc_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "irc : save dst connection packet detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "irc : save dst connection packet detected\n"); dst->irc_ts = packet->tick_timestamp; } } @@ -423,8 +425,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc for (counter = 0; counter < dst->irc_number_of_port; counter++) { if (dst->irc_port[counter] == sport || dst->irc_port[counter] == dport) { dst->last_time_port_used[counter] = packet->tick_timestamp; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "dest port matched with the DCC port and the flow is marked as IRC"); + NDPI_LOG_INFO(ndpi_struct, "found IRC: dest port matched with the DCC port"); ndpi_int_irc_add_connection(ndpi_struct, flow); return; } @@ -434,9 +435,8 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc for (counter = 0; counter < src->irc_number_of_port; counter++) { if (src->irc_port[counter] == sport || src->irc_port[counter] == dport) { src->last_time_port_used[counter] = packet->tick_timestamp; + NDPI_LOG_INFO(ndpi_struct, "found IRC: Source port matched with the DCC port"); ndpi_int_irc_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "Source port matched with the DCC port and the flow is marked as IRC"); return; } } @@ -465,8 +465,8 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc || (memcmp(&packet->payload[c1], "irc.discostars.de1", 18) == 0) || (memcmp(&packet->payload[c1], "irc.rizon.net", 13) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "IRC SSL detected with :- irc.hackthissite.org0 | irc.gamepad.ca1 | dungeon.axenet.org0 " + NDPI_LOG_INFO(ndpi_struct, + "found IRC SSL: - irc.hackthissite.org0 | irc.gamepad.ca1 | dungeon.axenet.org0 " "| dazed.nuggethaus.net | irc.indymedia.org | irc.discostars.de1 "); ndpi_int_irc_add_connection(ndpi_struct, flow); break; @@ -496,14 +496,14 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (packet->line[i].ptr[0] == ':') { flow->l4.tcp.irc_3a_counter++; if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc."); + NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times."); ndpi_int_irc_add_connection(ndpi_struct, flow); goto detected_irc; } } } if (flow->l4.tcp.irc_3a_counter == 7) { /* ':' == 0x3a */ - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "0x3a. seven times. found irc."); + NDPI_LOG_INFO(ndpi_struct, "found irc. 0x3a. seven times."); ndpi_int_irc_add_connection(ndpi_struct, flow); goto detected_irc; } @@ -518,19 +518,19 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc || (memcmp(packet->payload, "NOTICE ", 7) == 0) || (memcmp(packet->payload, "PRIVMSG ", 8) == 0) || (memcmp(packet->payload, "VERSION ", 8) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, + NDPI_LOG_DBG2(ndpi_struct, "USER, NICK, PASS, NOTICE, PRIVMSG one time"); if (flow->l4.tcp.irc_stage == 2) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found irc"); + NDPI_LOG_INFO(ndpi_struct, "found irc"); ndpi_int_irc_add_connection(ndpi_struct, flow); flow->l4.tcp.irc_stage = 3; } if (flow->l4.tcp.irc_stage == 1) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "second time, stage=2"); + NDPI_LOG_DBG2(ndpi_struct, "second time, stage=2"); flow->l4.tcp.irc_stage = 2; } if (flow->l4.tcp.irc_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "first time, stage=1"); + NDPI_LOG_DBG2(ndpi_struct, "first time, stage=1"); flow->l4.tcp.irc_stage = 1; } /* irc packets can have either windows line breaks (0d0a) or unix line breaks (0a) */ @@ -538,13 +538,11 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && packet->payload[packet->payload_packet_len - 1] == 0x0a) { ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines > 1) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "packet contains more than one line"); + NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line"); for (c = 1; c < packet->parsed_lines; c++) { if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0 || memcmp(packet->line[c].ptr, "USER ", 5) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, - NDPI_LOG_TRACE, "two icq signal words in the same packet"); + NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet"); ndpi_int_irc_add_connection(ndpi_struct, flow); flow->l4.tcp.irc_stage = 3; return; @@ -555,14 +553,12 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } else if (packet->payload[packet->payload_packet_len - 1] == 0x0a) { ndpi_parse_packet_line_info_any(ndpi_struct, flow); if (packet->parsed_lines > 1) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "packet contains more than one line"); + NDPI_LOG_DBG2(ndpi_struct, "packet contains more than one line"); for (c = 1; c < packet->parsed_lines; c++) { if (packet->line[c].len > 4 && (memcmp(packet->line[c].ptr, "NICK ", 5) == 0 || memcmp(packet->line[c].ptr, "USER ", 5) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "two icq signal words in the same packet"); + NDPI_LOG_INFO(ndpi_struct, "found IRC: two icq signal words in the same packet"); ndpi_int_irc_add_connection(ndpi_struct, flow); flow->l4.tcp.irc_stage = 3; return; @@ -594,7 +590,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && (ndpi_check_for_IRC_traces(packet->http_url_name.ptr, packet->http_url_name.len))) || ((packet->referer_line.ptr) && (ndpi_check_for_IRC_traces(packet->referer_line.ptr, packet->referer_line.len)))) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, + NDPI_LOG_DBG2(ndpi_struct, "IRC detected from the Http URL/ Referer header "); flow->l4.tcp.irc_stage = 1; // HTTP POST Request body is not in the same packet. @@ -613,22 +609,21 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc || (((packet->payload_packet_len - http_content_ptr_len) > 5) && (memcmp(packet->payload + http_content_ptr_len, "item=", 5) == 0) && (ndpi_check_for_cmd(ndpi_struct, flow) != 0))) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "IRC Nickname, cmd, one time"); + NDPI_LOG_INFO(ndpi_struct, "found IRC: Nickname, cmd, one time"); ndpi_int_irc_add_connection(ndpi_struct, flow); return; } } detected_irc: - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "detected_irc:"); + NDPI_LOG_DBG2(ndpi_struct, "detected_irc:"); if (flow->detected_protocol_stack[0] == NDPI_PROTOCOL_IRC) { /* maybe this can be deleted at the end */ if (packet->payload[packet->payload_packet_len - 2] != 0x0d && packet->payload[packet->payload_packet_len - 1] == 0x0a) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, - "ndpi_parse_packet_line_info_any(ndpi_struct, flow);"); + NDPI_LOG_DBG2(ndpi_struct, "ndpi_parse_packet_line_info_any(ndpi_struct, flow);"); ndpi_parse_packet_line_info_any(ndpi_struct, flow); } else if (packet->payload[packet->payload_packet_len - 2] == 0x0d) { ndpi_parse_packet_line_info(ndpi_struct, flow); @@ -637,27 +632,27 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } for (i = 0; i < packet->parsed_lines; i++) { if (packet->line[i].len > 6 && memcmp(packet->line[i].ptr, "NOTICE ", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "NOTICE"); + NDPI_LOG_DBG2(ndpi_struct, "NOTICE"); for (j = 7; j < packet->line[i].len - 8; j++) { if (packet->line[i].ptr[j] == ':') { if (memcmp(&packet->line[i].ptr[j + 1], "DCC SEND ", 9) == 0 || memcmp(&packet->line[i].ptr[j + 1], "DCC CHAT ", 9) == 0) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, + NDPI_LOG_INFO(ndpi_struct, "found NOTICE and DCC CHAT or DCC SEND."); } } } } if (packet->payload_packet_len > 0 && packet->payload[0] == 0x3a /* 0x3a = ':' */ ) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "3a"); + NDPI_LOG_DBG2(ndpi_struct, "3a"); for (j = 1; j < packet->line[i].len - 9; j++) { if (packet->line[i].ptr[j] == ' ') { j++; if (packet->line[i].ptr[j] == 'P') { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "P"); + NDPI_LOG_DBG2(ndpi_struct, "P"); j++; if (memcmp(&packet->line[i].ptr[j], "RIVMSG ", 7) == 0) - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "RIVMSG"); + NDPI_LOG_DBG2(ndpi_struct, "RIVMSG"); h = j + 7; goto read_privmsg; } @@ -665,25 +660,24 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } } if (packet->line[i].len > 7 && (memcmp(packet->line[i].ptr, "PRIVMSG ", 8) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, "PRIVMSG "); + NDPI_LOG_DBG2(ndpi_struct, "PRIVMSG "); h = 7; read_privmsg: for (j = h; j < packet->line[i].len - 9; j++) { if (packet->line[i].ptr[j] == ':') { if (memcmp(&packet->line[i].ptr[j + 1], "xdcc ", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "xdcc should match."); + NDPI_LOG_DBG2(ndpi_struct, "xdcc should match."); } j += 2; if (memcmp(&packet->line[i].ptr[j], "DCC ", 4) == 0) { j += 4; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "found DCC."); + NDPI_LOG_DBG2(ndpi_struct, "found DCC."); if (memcmp(&packet->line[i].ptr[j], "SEND ", 5) == 0 || (memcmp(&packet->line[i].ptr[j], "CHAT", 4) == 0) || (memcmp(&packet->line[i].ptr[j], "chat", 4) == 0) || (memcmp(&packet->line[i].ptr[j], "sslchat", 7) == 0) || (memcmp(&packet->line[i].ptr[j], "TSEND", 5) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "found CHAT,chat,sslchat,TSEND."); + NDPI_LOG_DBG2(ndpi_struct, "found CHAT,chat,sslchat,TSEND."); j += 4; while (packet->line[i].len > j && @@ -696,35 +690,29 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (packet->line[i].ptr[j] == ' ') { space++; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "space %u.", space); + NDPI_LOG_DBG2(ndpi_struct, "space %u.", space); } if (space == 3) { j++; - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "read port."); + NDPI_LOG_DBG2(ndpi_struct, "read port."); if (src != NULL) { k = j; port = ntohs_ndpi_bytestream_to_number (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.", + NDPI_LOG_DBG2(ndpi_struct, "port %u.", port); j = k; // hier jetzt überlegen, wie die ports abgespeichert werden sollen if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT) - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, - "src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT."); + NDPI_LOG_DBG2(ndpi_struct, "src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT."); if (src->irc_number_of_port < NDPI_PROTOCOL_IRC_MAXPORT && port != 0) { if (!ndpi_is_duplicate(src, port)) { src->irc_port[src->irc_number_of_port] = port; src->irc_number_of_port++; - NDPI_LOG - (NDPI_PROTOCOL_IRC, - ndpi_struct, - NDPI_LOG_DEBUG, "found port=%d", + NDPI_LOG_DBG2(ndpi_struct, "found port=%d jjeeeeeeeeeeeeeeeeeeeeeeeee", ntohs(get_u_int16_t(src->irc_port, 0))); - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, - "jjeeeeeeeeeeeeeeeeeeeeeeeee"); } src->irc_ts = packet->tick_timestamp; } else if (port != 0 && src->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { @@ -732,11 +720,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc less = 0; NDPI_IRC_FIND_LESS(src->last_time_port_used, less); src->irc_port[less] = port; - NDPI_LOG - (NDPI_PROTOCOL_IRC, - ndpi_struct, - NDPI_LOG_DEBUG, "found port=%d", - ntohs(get_u_int16_t(src->irc_port, 0))); + NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(src->irc_port, 0))); } src->irc_ts = packet->tick_timestamp; } @@ -747,8 +731,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc if (dst != NULL) { port = ntohs_ndpi_bytestream_to_number (&packet->line[i].ptr[j], packet->payload_packet_len - j, &j); - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_TRACE, "port %u.", - port); + NDPI_LOG_DBG2(ndpi_struct, "port %u.", port); // hier das gleiche wie oben. /* hier werden NDPI_PROTOCOL_IRC_MAXPORT ports pro irc flows mitgespeichert. könnte man denn nicht ein- * fach an die dst oder src einen flag setzten, dass dieser port für eine bestimmte @@ -759,13 +742,8 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc dst->irc_port[dst->irc_number_of_port] = port; dst->irc_number_of_port++; - NDPI_LOG - (NDPI_PROTOCOL_IRC, - ndpi_struct, - NDPI_LOG_DEBUG, "found port=%d", - ntohs(get_u_int16_t(dst->irc_port, 0))); - NDPI_LOG(NDPI_PROTOCOL_IRC, ndpi_struct, NDPI_LOG_DEBUG, - "juuuuuuuuuuuuuuuu"); + NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); + NDPI_LOG_DBG2(ndpi_struct, "juuuuuuuuuuuuuuuu"); } dst->irc_ts = packet->tick_timestamp; } else if (port != 0 && dst->irc_number_of_port == NDPI_PROTOCOL_IRC_MAXPORT) { @@ -774,11 +752,7 @@ void ndpi_search_irc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc NDPI_IRC_FIND_LESS(dst->last_time_port_used, less); dst->irc_port[less] = port; - NDPI_LOG - (NDPI_PROTOCOL_IRC, - ndpi_struct, - NDPI_LOG_DEBUG, "found port=%d", - ntohs(get_u_int16_t(dst->irc_port, 0))); + NDPI_LOG_DBG2(ndpi_struct, "found port=%d", ntohs(get_u_int16_t(dst->irc_port, 0))); } dst->irc_ts = packet->tick_timestamp; } diff --git a/src/lib/protocols/jabber.c b/src/lib/protocols/jabber.c index d8be54adf..05950d8c5 100644 --- a/src/lib/protocols/jabber.c +++ b/src/lib/protocols/jabber.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UNENCRYPTED_JABBER #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER struct jabber_string { char *string; u_int ndpi_protocol; @@ -70,51 +74,47 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st u_int16_t x; - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_TRACE, "JABBER detection....\n"); + NDPI_LOG_DBG(ndpi_struct, "search JABBER\n"); /* search for jabber file transfer */ /* this part is working asymmetrically */ if (packet->tcp != NULL && packet->tcp->syn != 0 && packet->payload_packet_len == 0) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "check jabber syn\n"); + NDPI_LOG_DBG2(ndpi_struct, "check jabber syn\n"); if (src != NULL && src->jabber_file_transfer_port[0] != 0) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, - "src jabber ft port set, ports are: %u, %u\n", ntohs(src->jabber_file_transfer_port[0]), - ntohs(src->jabber_file_transfer_port[1])); + NDPI_LOG_DBG2(ndpi_struct, "src jabber ft port set, ports are: %u, %u\n", + ntohs(src->jabber_file_transfer_port[0]), + ntohs(src->jabber_file_transfer_port[1])); if (((u_int32_t) (packet->tick_timestamp - src->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "JABBER src stun timeout %u %u\n", src->jabber_stun_or_ft_ts, - packet->tick_timestamp); + NDPI_LOG_DBG2(ndpi_struct, "JABBER src stun timeout %u %u\n", + src->jabber_stun_or_ft_ts, packet->tick_timestamp); src->jabber_file_transfer_port[0] = 0; src->jabber_file_transfer_port[1] = 0; } else if (src->jabber_file_transfer_port[0] == packet->tcp->dest || src->jabber_file_transfer_port[0] == packet->tcp->source || src->jabber_file_transfer_port[1] == packet->tcp->dest || src->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, - "found jabber file transfer.\n"); + NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); } } if (dst != NULL && dst->jabber_file_transfer_port[0] != 0) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, - "dst jabber ft port set, ports are: %u, %u\n", ntohs(dst->jabber_file_transfer_port[0]), - ntohs(dst->jabber_file_transfer_port[1])); + NDPI_LOG_DBG2(ndpi_struct, "dst jabber ft port set, ports are: %u, %u\n", + ntohs(dst->jabber_file_transfer_port[0]), + ntohs(dst->jabber_file_transfer_port[1])); if (((u_int32_t) (packet->tick_timestamp - dst->jabber_stun_or_ft_ts)) >= ndpi_struct->jabber_file_transfer_timeout) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "JABBER dst stun timeout %u %u\n", dst->jabber_stun_or_ft_ts, - packet->tick_timestamp); + NDPI_LOG_DBG2(ndpi_struct, "JABBER dst stun timeout %u %u\n", + dst->jabber_stun_or_ft_ts, packet->tick_timestamp); dst->jabber_file_transfer_port[0] = 0; dst->jabber_file_transfer_port[1] = 0; } else if (dst->jabber_file_transfer_port[0] == packet->tcp->dest || dst->jabber_file_transfer_port[0] == packet->tcp->source || dst->jabber_file_transfer_port[1] == packet->tcp->dest || dst->jabber_file_transfer_port[1] == packet->tcp->source) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, - "found jabber file transfer.\n"); + NDPI_LOG_INFO(ndpi_struct, "found jabber file transfer\n"); ndpi_int_jabber_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); @@ -135,17 +135,17 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st /* check for google jabber voip connections ... */ /* need big packet */ if (packet->payload_packet_len < 100) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "packet too small, return.\n"); + NDPI_LOG_DBG2(ndpi_struct, "packet too small, return\n"); return; } /* need message to or type for file-transfer */ if (memcmp(packet->payload, "payload, "payload_packet_len - 11; for (x = 10; x < lastlen; x++) { if (packet->payload[x] == 'p') { if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "port=\n"); + NDPI_LOG_DBG2(ndpi_struct, "port=\n"); if (src != NULL) { src->jabber_stun_or_ft_ts = packet->tick_timestamp; } @@ -155,30 +155,25 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st } x += 6; j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "JABBER port : %u\n", ntohs(j_port)); + NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); if (src != NULL) { if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[0] = j_port = %u;\n", + NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port)); src->jabber_file_transfer_port[0] = j_port; } else { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[1] = j_port = %u;\n", + NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", ntohs(j_port)); src->jabber_file_transfer_port[1] = j_port; } } if (dst != NULL) { if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", + NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port)); dst->jabber_file_transfer_port[0] = j_port; } else { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", + NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", ntohs(j_port)); dst->jabber_file_transfer_port[1] = j_port; } @@ -191,7 +186,7 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st } else if (memcmp(packet->payload, "payload, "payload, "payload_packet_len - 21; for (x = 8; x < lastlen; x++) { /* invalid character */ @@ -199,7 +194,7 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st return; } if (packet->payload[x] == '@') { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "JABBER @\n"); + NDPI_LOG_DBG2(ndpi_struct, "JABBER @\n"); break; } } @@ -211,7 +206,7 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st for (; x < lastlen; x++) { if (packet->payload[x] == 'p') { if (memcmp(&packet->payload[x], "port=", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "port=\n"); + NDPI_LOG_DBG2(ndpi_struct, "port=\n"); if (src != NULL) { src->jabber_stun_or_ft_ts = packet->tick_timestamp; } @@ -222,8 +217,7 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st x += 6; j_port = ntohs_ndpi_bytestream_to_number(&packet->payload[x], packet->payload_packet_len, &x); - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "JABBER port : %u\n", ntohs(j_port)); + NDPI_LOG_DBG2(ndpi_struct, "JABBER port : %u\n", ntohs(j_port)); if (src != NULL && src->jabber_voice_stun_used_ports < JABBER_MAX_STUN_PORTS - 1) { if (packet->payload[5] == 'o') { @@ -232,13 +226,12 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st } else { if (src->jabber_file_transfer_port[0] == 0 || src->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, - "src->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port)); + NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[0] = j_port = %u;\n", + ntohs(j_port)); src->jabber_file_transfer_port[0] = j_port; } else { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "src->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); + NDPI_LOG_DBG2(ndpi_struct, "src->jabber_file_transfer_port[1] = j_port = %u;\n", + ntohs(j_port)); src->jabber_file_transfer_port[1] = j_port; } } @@ -251,13 +244,12 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st } else { if (dst->jabber_file_transfer_port[0] == 0 || dst->jabber_file_transfer_port[0] == j_port) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, - "dst->jabber_file_transfer_port[0] = j_port = %u;\n", ntohs(j_port)); + NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[0] = j_port = %u;\n", + ntohs(j_port)); dst->jabber_file_transfer_port[0] = j_port; } else { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", - ntohs(j_port)); + NDPI_LOG_DBG2(ndpi_struct, "dst->jabber_file_transfer_port[1] = j_port = %u;\n", + ntohs(j_port)); dst->jabber_file_transfer_port[1] = j_port; } } @@ -291,16 +283,14 @@ void ndpi_search_jabber_tcp(struct ndpi_detection_module_struct *ndpi_struct, st } if (flow->packet_counter < 3) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, - NDPI_LOG_DEBUG, "packet_counter: %u\n", flow->packet_counter); + NDPI_LOG_DBG2(ndpi_struct, "packet_counter: %u\n", flow->packet_counter); return; } - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_TRACE, "JABBER Excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); #ifdef NDPI_PROTOCOL_TRUPHONE - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TRUPHONE); + ndpi_exclude_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TRUPHONE,__FILE__,__FUNCTION__,__LINE__); #endif } diff --git a/src/lib/protocols/kakaotalk_voice.c b/src/lib/protocols/kakaotalk_voice.c index fbdc8eac6..87c1ef061 100644 --- a/src/lib/protocols/kakaotalk_voice.c +++ b/src/lib/protocols/kakaotalk_voice.c @@ -24,13 +24,20 @@ http://www.kakao.com/services/talk/voices */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_KAKAOTALK_VOICE + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KAKAOTALK_VOICE + #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_KAKAOTALK_VOICE void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search kakaotalk_voice\n"); + if(packet->iph && packet->udp && (packet->payload_packet_len >= 4) @@ -48,14 +55,14 @@ void ndpi_search_kakaotalk_voice(struct ndpi_detection_module_struct *ndpi_struc if(((ntohl(packet->iph->saddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */) || ((ntohl(packet->iph->daddr) & 0xFFFF0000 /* 255.255.0.0 */) == 0x01C90000 /* 1.201.0.0/16 */)) { + NDPI_LOG_INFO(ndpi_struct, "found kakaotalk_voice\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KAKAOTALK_VOICE, NDPI_PROTOCOL_UNKNOWN); return; } } } - NDPI_LOG(NDPI_PROTOCOL_KAKAOTALK_VOICE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude kakaotalk_voice.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_KAKAOTALK_VOICE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/kerberos.c b/src/lib/protocols/kerberos.c index b86b58a20..71f4a8636 100644 --- a/src/lib/protocols/kerberos.c +++ b/src/lib/protocols/kerberos.c @@ -22,24 +22,28 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_KERBEROS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KERBEROS + +#include "ndpi_api.h" + + static void ndpi_int_kerberos_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KERBEROS, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_DBG(ndpi_struct, "trace KERBEROS\n"); } void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search KERBEROS\n"); /* I have observed 0a,0c,0d,0e at packet->payload[19/21], maybe there are other possibilities */ if (packet->payload_packet_len >= 4 && ntohl(get_u_int32_t(packet->payload, 0)) == packet->payload_packet_len - 4) { @@ -47,7 +51,6 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, stru packet->payload[14] == 0x05 && (packet->payload[19] == 0x0a || packet->payload[19] == 0x0c || packet->payload[19] == 0x0d || packet->payload[19] == 0x0e)) { - NDPI_LOG(NDPI_PROTOCOL_KERBEROS, ndpi_struct, NDPI_LOG_DEBUG, "found KERBEROS\n"); ndpi_int_kerberos_add_connection(ndpi_struct, flow); return; @@ -56,18 +59,12 @@ void ndpi_search_kerberos(struct ndpi_detection_module_struct *ndpi_struct, stru packet->payload[16] == 0x05 && (packet->payload[21] == 0x0a || packet->payload[21] == 0x0c || packet->payload[21] == 0x0d || packet->payload[21] == 0x0e)) { - NDPI_LOG(NDPI_PROTOCOL_KERBEROS, ndpi_struct, NDPI_LOG_DEBUG, "found KERBEROS\n"); ndpi_int_kerberos_add_connection(ndpi_struct, flow); return; } - - - } - - NDPI_LOG(NDPI_PROTOCOL_KERBEROS, ndpi_struct, NDPI_LOG_DEBUG, "no KERBEROS detected.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_KERBEROS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/kontiki.c b/src/lib/protocols/kontiki.c index 6bd55cdc5..425fd6b1b 100644 --- a/src/lib/protocols/kontiki.c +++ b/src/lib/protocols/kontiki.c @@ -23,44 +23,46 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_KONTIKI +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_KONTIKI + +#include "ndpi_api.h" + + static void ndpi_int_kontiki_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_KONTIKI, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found Kontiki UDP\n"); } void ndpi_search_kontiki(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - + NDPI_LOG_DBG(ndpi_struct, "search Kontiki\n"); if (packet->payload_packet_len == 4 && (get_u_int32_t(packet->payload, 0) == htonl(0x02010100))) { - NDPI_LOG(NDPI_PROTOCOL_KONTIKI, ndpi_struct, NDPI_LOG_DEBUG, "Kontiki UDP detected.\n"); ndpi_int_kontiki_add_connection(ndpi_struct, flow); return; } + if (packet->payload_packet_len > 0 && packet->payload[0] == 0x02) { if (packet->payload_packet_len == 20 && (get_u_int32_t(packet->payload, 16) == htonl(0x02040100))) { - NDPI_LOG(NDPI_PROTOCOL_KONTIKI, ndpi_struct, NDPI_LOG_DEBUG, "Kontiki UDP detected.\n"); ndpi_int_kontiki_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 16 && (get_u_int32_t(packet->payload, 12) == htonl(0x000004e4))) { - NDPI_LOG(NDPI_PROTOCOL_KONTIKI, ndpi_struct, NDPI_LOG_DEBUG, "Kontiki UDP detected.\n"); ndpi_int_kontiki_add_connection(ndpi_struct, flow); return; } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_KONTIKI); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/ldap.c b/src/lib/protocols/ldap.c index fee99a92d..4adb7c471 100644 --- a/src/lib/protocols/ldap.c +++ b/src/lib/protocols/ldap.c @@ -22,11 +22,15 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_LDAP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_LDAP + +#include "ndpi_api.h" + + static void ndpi_int_ldap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -37,15 +41,7 @@ void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct n { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - -// u_int16_t dport; - - - - NDPI_LOG(NDPI_PROTOCOL_LDAP, ndpi_struct, NDPI_LOG_DEBUG, "search ldap\n"); - + NDPI_LOG_DBG(ndpi_struct, "search ldap\n"); if (packet->payload_packet_len >= 14 && packet->payload[0] == 0x30) { @@ -55,14 +51,14 @@ void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct n if (packet->payload[3] == 0x01 && (packet->payload[5] == 0x60 || packet->payload[5] == 0x61) && packet->payload[6] == 0x07) { - NDPI_LOG(NDPI_PROTOCOL_LDAP, ndpi_struct, NDPI_LOG_DEBUG, "found ldap simple type 1\n"); + NDPI_LOG_INFO(ndpi_struct, "found ldap simple type 1\n"); ndpi_int_ldap_add_connection(ndpi_struct, flow); return; } if (packet->payload[3] == 0x02 && (packet->payload[6] == 0x60 || packet->payload[6] == 0x61) && packet->payload[7] == 0x07) { - NDPI_LOG(NDPI_PROTOCOL_LDAP, ndpi_struct, NDPI_LOG_DEBUG, "found ldap simple type 2\n"); + NDPI_LOG_INFO(ndpi_struct, "found ldap simple type 2\n"); ndpi_int_ldap_add_connection(ndpi_struct, flow); return; } @@ -75,7 +71,7 @@ void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct n (packet->payload[9] == 0x60 || packet->payload[9] == 0x61 || packet->payload[9] == 0x63 || packet->payload[9] == 0x64) && packet->payload[10] == 0x84) { - NDPI_LOG(NDPI_PROTOCOL_LDAP, ndpi_struct, NDPI_LOG_DEBUG, "found ldap type 1\n"); + NDPI_LOG_INFO(ndpi_struct, "found ldap type 1\n"); ndpi_int_ldap_add_connection(ndpi_struct, flow); return; } @@ -84,7 +80,7 @@ void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct n (packet->payload[10] == 0x60 || packet->payload[10] == 0x61 || packet->payload[10] == 0x63 || packet->payload[10] == 0x64) && packet->payload[11] == 0x84) { - NDPI_LOG(NDPI_PROTOCOL_LDAP, ndpi_struct, NDPI_LOG_DEBUG, "found ldap type 2\n"); + NDPI_LOG_INFO(ndpi_struct, "found ldap type 2\n"); ndpi_int_ldap_add_connection(ndpi_struct, flow); return; } @@ -92,8 +88,7 @@ void ndpi_search_ldap(struct ndpi_detection_module_struct *ndpi_struct, struct n } - NDPI_LOG(NDPI_PROTOCOL_LDAP, ndpi_struct, NDPI_LOG_DEBUG, "ldap excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LDAP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/lisp.c b/src/lib/protocols/lisp.c index 01e445398..e507be9f9 100644 --- a/src/lib/protocols/lisp.c +++ b/src/lib/protocols/lisp.c @@ -1,6 +1,11 @@ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_LISP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_LISP + +#include "ndpi_api.h" + #define LISP_PORT 4341 #define LISP_PORT1 4342 @@ -16,9 +21,8 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st { struct ndpi_packet_struct *packet = &flow->packet; - u_int32_t payload_len = packet->payload_packet_len; - if(packet->udp != NULL) { + if(packet->udp != NULL) { u_int16_t lisp_port = htons(LISP_PORT); u_int16_t lisp_port1 = htons(LISP_PORT1); @@ -28,22 +32,21 @@ static void ndpi_check_lisp(struct ndpi_detection_module_struct *ndpi_struct, st ((packet->udp->source == lisp_port1) && (packet->udp->dest == lisp_port1)) ) { - NDPI_LOG(NDPI_PROTOCOL_LISP, ndpi_struct, NDPI_LOG_DEBUG, "Found lisp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found lisp\n"); ndpi_int_lisp_add_connection(ndpi_struct, flow, 0); return; } } - NDPI_LOG(NDPI_PROTOCOL_LISP, ndpi_struct, NDPI_LOG_DEBUG, "exclude lisp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LISP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_lisp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_LISP, ndpi_struct, NDPI_LOG_DEBUG, "lisp detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search lisp\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_LISP) { diff --git a/src/lib/protocols/lotus_notes.c b/src/lib/protocols/lotus_notes.c index 37c4cf896..5750c50cd 100644 --- a/src/lib/protocols/lotus_notes.c +++ b/src/lib/protocols/lotus_notes.c @@ -18,10 +18,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_LOTUS_NOTES + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_LOTUS_NOTES #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_LOTUS_NOTES /* ************************************ */ @@ -32,38 +36,35 @@ static void ndpi_check_lotus_notes(struct ndpi_detection_module_struct *ndpi_str // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - if(packet->tcp != NULL) { - flow->l4.tcp.lotus_notes_packet_id++; - - if((flow->l4.tcp.lotus_notes_packet_id == 1) - /* We have seen the 3-way handshake */ - && flow->l4.tcp.seen_syn - && flow->l4.tcp.seen_syn_ack - && flow->l4.tcp.seen_ack) { - if(payload_len > 16) { - char lotus_notes_header[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x40, 0x02, 0x0F }; - - if(memcmp(&packet->payload[6], lotus_notes_header, sizeof(lotus_notes_header)) == 0) { - NDPI_LOG(NDPI_PROTOCOL_LOTUS_NOTES, ndpi_struct, NDPI_LOG_DEBUG, "Found lotus_notes.\n"); - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LOTUS_NOTES, NDPI_PROTOCOL_UNKNOWN); - } - - return; + if(packet->tcp == NULL) return; + + flow->l4.tcp.lotus_notes_packet_id++; + + if((flow->l4.tcp.lotus_notes_packet_id == 1) + /* We have seen the 3-way handshake */ + && flow->l4.tcp.seen_syn + && flow->l4.tcp.seen_syn_ack + && flow->l4.tcp.seen_ack) { + if(payload_len > 16) { + char lotus_notes_header[] = { 0x00, 0x00, 0x02, 0x00, 0x00, 0x40, 0x02, 0x0F }; + + if(memcmp(&packet->payload[6], lotus_notes_header, sizeof(lotus_notes_header)) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found lotus_notes\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_LOTUS_NOTES, NDPI_PROTOCOL_UNKNOWN); } + return; + } + + } else if(flow->l4.tcp.lotus_notes_packet_id <= 3) return; - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LOTUS_NOTES); - } else if(flow->l4.tcp.lotus_notes_packet_id > 3) - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_LOTUS_NOTES); - - return; - } + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_lotus_notes(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_LOTUS_NOTES, ndpi_struct, NDPI_LOG_DEBUG, "lotus_notes detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search lotus_notes\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_LOTUS_NOTES) diff --git a/src/lib/protocols/mail_imap.c b/src/lib/protocols/mail_imap.c index 4e352583e..2c3d3d2d7 100644 --- a/src/lib/protocols/mail_imap.c +++ b/src/lib/protocols/mail_imap.c @@ -22,10 +22,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MAIL_IMAP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAIL_IMAP + +#include "ndpi_api.h" + + static void ndpi_int_mail_imap_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAIL_IMAP, NDPI_PROTOCOL_UNKNOWN); @@ -40,11 +45,11 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t saw_command = 0; /* const u_int8_t *command = 0; */ - NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, "search IMAP.\n"); + NDPI_LOG_DBG(ndpi_struct, "search IMAP_IMAP\n"); if (flow->l4.tcp.mail_imap_starttls == 2) { #ifdef NDPI_PROTOCOL_SSL - NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, "starttls detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "starttls detected\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_IMAP); NDPI_DEL_PROTOCOL_FROM_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL); return; @@ -275,7 +280,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, if (saw_command == 1) { if (flow->l4.tcp.mail_imap_stage == 3 || flow->l4.tcp.mail_imap_stage == 5) { - NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, "mail imap identified\n"); + NDPI_LOG_INFO(ndpi_struct, "found MAIL_IMAP\n"); ndpi_int_mail_imap_add_connection(ndpi_struct, flow); return; } @@ -283,7 +288,7 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, } if (packet->payload_packet_len > 1 && packet->payload[packet->payload_packet_len - 1] == ' ') { - NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe a split imap command -> need next packet and imap_stage is set to 4.\n"); flow->l4.tcp.mail_imap_stage = 4; return; @@ -295,13 +300,12 @@ void ndpi_search_mail_imap_tcp(struct ndpi_detection_module_struct *ndpi_struct, // if the packet count is low enough and at least one command or response was seen before if ((packet->payload_packet_len >= 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) && flow->packet_counter < 6 && flow->l4.tcp.mail_imap_stage >= 1) { - NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "no imap command or response but packet count < 6 and imap stage >= 1 -> skip\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_MAIL_IMAP, ndpi_struct, NDPI_LOG_DEBUG, "exclude IMAP.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_IMAP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mail_pop.c b/src/lib/protocols/mail_pop.c index 0e487c4a5..4f9a6ea5f 100644 --- a/src/lib/protocols/mail_pop.c +++ b/src/lib/protocols/mail_pop.c @@ -23,10 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MAIL_POP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAIL_POP + +#include "ndpi_api.h" + + #define POP_BIT_AUTH 0x0001 #define POP_BIT_APOP 0x0002 #define POP_BIT_USER 0x0004 @@ -52,9 +57,6 @@ static int ndpi_int_mail_pop_check_for_client_commands(struct ndpi_detection_mod { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->payload_packet_len > 4) { if ((packet->payload[0] == 'A' || packet->payload[0] == 'a') && (packet->payload[1] == 'U' || packet->payload[1] == 'u') @@ -133,13 +135,10 @@ void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; u_int8_t a = 0; u_int8_t bit_count = 0; - NDPI_LOG(NDPI_PROTOCOL_MAIL_POP, ndpi_struct, NDPI_LOG_DEBUG, "search mail_pop\n"); + NDPI_LOG_DBG(ndpi_struct, "search mail_pop\n"); @@ -165,12 +164,12 @@ void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct } } - NDPI_LOG(NDPI_PROTOCOL_MAIL_POP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "mail_pop +OK/-ERR responses: %u, unique commands: %u\n", flow->l4.tcp.mail_pop_stage, bit_count); if ((bit_count + flow->l4.tcp.mail_pop_stage) >= 3) { if (flow->l4.tcp.mail_pop_stage > 0) { - NDPI_LOG(NDPI_PROTOCOL_MAIL_POP, ndpi_struct, NDPI_LOG_DEBUG, "mail_pop identified\n"); + NDPI_LOG_INFO(ndpi_struct, "mail_pop identified\n"); ndpi_int_mail_pop_add_connection(ndpi_struct, flow); return; } else { @@ -182,7 +181,7 @@ void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct } else { // first part of a split packet - NDPI_LOG(NDPI_PROTOCOL_MAIL_POP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "mail_pop command without line ending -> skip\n"); return; } @@ -193,13 +192,12 @@ void ndpi_search_mail_pop_tcp(struct ndpi_detection_module_struct if (((packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) || flow->l4.tcp.pop_command_bitmask != 0 || flow->l4.tcp.mail_pop_stage != 0) && flow->packet_counter < 12) { // maybe part of a split pop packet - NDPI_LOG(NDPI_PROTOCOL_MAIL_POP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe part of split mail_pop packet -> skip\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_MAIL_POP, ndpi_struct, NDPI_LOG_DEBUG, "exclude mail_pop\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_POP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mail_smtp.c b/src/lib/protocols/mail_smtp.c index 422ed0dc2..252c74ffe 100644 --- a/src/lib/protocols/mail_smtp.c +++ b/src/lib/protocols/mail_smtp.c @@ -23,10 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MAIL_SMTP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAIL_SMTP + +#include "ndpi_api.h" + + #define SMTP_BIT_220 0x01 #define SMTP_BIT_250 0x02 #define SMTP_BIT_235 0x04 @@ -53,12 +58,7 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - - NDPI_LOG(NDPI_PROTOCOL_MAIL_SMTP, ndpi_struct, NDPI_LOG_DEBUG, "search mail_smtp.\n"); - + NDPI_LOG_DBG(ndpi_struct, "search mail_smtp\n"); if (packet->payload_packet_len > 2 && ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a) { u_int8_t a; @@ -152,11 +152,11 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct bit_count += (flow->l4.tcp.smtp_command_bitmask >> a) & 0x01; } } - NDPI_LOG(NDPI_PROTOCOL_MAIL_SMTP, ndpi_struct, NDPI_LOG_DEBUG, "seen smtp commands and responses: %u.\n", + NDPI_LOG_DBG2(ndpi_struct, "seen smtp commands and responses: %u\n", bit_count); if (bit_count >= 3) { - NDPI_LOG(NDPI_PROTOCOL_MAIL_SMTP, ndpi_struct, NDPI_LOG_DEBUG, "mail smtp identified\n"); + NDPI_LOG_INFO(ndpi_struct, "mail smtp identified\n"); ndpi_int_mail_smtp_add_connection(ndpi_struct, flow); return; } @@ -169,12 +169,11 @@ void ndpi_search_mail_smtp_tcp(struct ndpi_detection_module_struct packet->payload_packet_len >= 4 && (ntohs(get_u_int16_t(packet->payload, packet->payload_packet_len - 2)) == 0x0d0a || memcmp(packet->payload, "220", 3) == 0 || memcmp(packet->payload, "EHLO", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_MAIL_SMTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe SMTP, need next packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe SMTP, need next packet\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_MAIL_SMTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude smtp\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAIL_SMTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/maplestory.c b/src/lib/protocols/maplestory.c index fa6feffd0..a55c2cc11 100644 --- a/src/lib/protocols/maplestory.c +++ b/src/lib/protocols/maplestory.c @@ -22,10 +22,14 @@ * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MAPLESTORY +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MAPLESTORY + +#include "ndpi_api.h" + static void ndpi_int_maplestory_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MAPLESTORY, NDPI_PROTOCOL_UNKNOWN); @@ -36,16 +40,13 @@ void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, st { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - + NDPI_LOG_DBG(ndpi_struct, "search maplestory\n"); if (packet->payload_packet_len == 16 && (ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003a00 || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e003b00 || ntohl(get_u_int32_t(packet->payload, 0)) == 0x0e004200) && ntohs(get_u_int16_t(packet->payload, 4)) == 0x0100 && (packet->payload[6] == 0x32 || packet->payload[6] == 0x33)) { - NDPI_LOG(NDPI_PROTOCOL_MAPLESTORY, ndpi_struct, NDPI_LOG_DEBUG, "found maplestory.\n"); + NDPI_LOG_INFO(ndpi_struct, "found maplestory\n"); ndpi_int_maplestory_add_connection(ndpi_struct, flow); return; } @@ -63,7 +64,7 @@ void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, st NDPI_STATICSTRING_LEN("patch")) == 0 && memcmp(packet->user_agent_line.ptr, "Patcher", NDPI_STATICSTRING_LEN("Patcher")) == 0 && memcmp(packet->host_line.ptr, "patch.", NDPI_STATICSTRING_LEN("patch.")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MAPLESTORY, ndpi_struct, NDPI_LOG_DEBUG, "found maplestory update.\n"); + NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n"); ndpi_int_maplestory_add_connection(ndpi_struct, flow); return; } @@ -71,14 +72,13 @@ void ndpi_search_maplestory(struct ndpi_detection_module_struct *ndpi_struct, st && memcmp(&packet->payload[NDPI_STATICSTRING_LEN("GET /maple")], "story/", NDPI_STATICSTRING_LEN("story/")) == 0 && memcmp(packet->user_agent_line.ptr, "AspINet", NDPI_STATICSTRING_LEN("AspINet")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MAPLESTORY, ndpi_struct, NDPI_LOG_DEBUG, "found maplestory update.\n"); + NDPI_LOG_INFO(ndpi_struct, "found maplestory update\n"); ndpi_int_maplestory_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_MAPLESTORY, ndpi_struct, NDPI_LOG_DEBUG, "exclude maplestory.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MAPLESTORY); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mdns.c b/src/lib/protocols/mdns.c index d805a0bca..aa3c3f525 100644 --- a/src/lib/protocols/mdns.c +++ b/src/lib/protocols/mdns.c @@ -20,10 +20,14 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MDNS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MDNS + +#include "ndpi_api.h" + #define NDPI_MAX_MDNS_REQUESTS 128 PACK_ON @@ -65,7 +69,7 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct if(((packet->payload[2] & 0x80) == 0) && (questions <= NDPI_MAX_MDNS_REQUESTS) && (answers <= NDPI_MAX_MDNS_REQUESTS)) { - NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, NDPI_LOG_DEBUG, "found MDNS with question query.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MDNS with question query\n"); return 1; } else if(((packet->payload[2] & 0x80) != 0) @@ -86,7 +90,7 @@ static int ndpi_int_check_mdns_payload(struct ndpi_detection_module_struct strncpy(flow->protos.mdns.answer, (const char *)answer, len); flow->protos.mdns.answer[len] = '\0'; - NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, NDPI_LOG_DEBUG, "found MDNS with answer query.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MDNS with answer query\n"); return 1; } @@ -98,6 +102,8 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport; + NDPI_LOG_DBG(ndpi_struct, "search MDNS\n"); + /** information from http://www.it-administrator.de/lexikon/multicast-dns.html */ @@ -112,8 +118,7 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n /* mdns protocol must have destination address 224.0.0.251 */ if(packet->iph != NULL /* && ntohl(packet->iph->daddr) == 0xe00000fb */) { - NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, - NDPI_LOG_DEBUG, "found MDNS with destination address 224.0.0.251 (=0xe00000fb)\n"); + NDPI_LOG_INFO(ndpi_struct, "found MDNS with destination address 224.0.0.251 (=0xe00000fb)\n"); if(ndpi_int_check_mdns_payload(ndpi_struct, flow) == 1) { ndpi_int_mdns_add_connection(ndpi_struct, flow); @@ -125,8 +130,7 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n const u_int32_t *daddr = packet->iphv6->ip6_dst.u6_addr.u6_addr32; if(daddr[0] == htonl(0xff020000) /* && daddr[1] == 0 && daddr[2] == 0 && daddr[3] == htonl(0xfb) */) { - NDPI_LOG(NDPI_PROTOCOL_MDNS, ndpi_struct, - NDPI_LOG_DEBUG, "found MDNS with destination address ff02::fb\n"); + NDPI_LOG_INFO(ndpi_struct, "found MDNS with destination address ff02::fb\n"); if(ndpi_int_check_mdns_payload(ndpi_struct, flow) == 1) { ndpi_int_mdns_add_connection(ndpi_struct, flow); @@ -137,7 +141,7 @@ void ndpi_search_mdns(struct ndpi_detection_module_struct *ndpi_struct, struct n #endif } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MDNS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/megaco.c b/src/lib/protocols/megaco.c index 7b7d910de..bb317f5d5 100644 --- a/src/lib/protocols/megaco.c +++ b/src/lib/protocols/megaco.c @@ -18,16 +18,20 @@ * If not, see . */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_MEGACO + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MEGACO #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_MEGACO void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_MEGACO, ndpi_struct, NDPI_LOG_DEBUG, "search for MEGACO.\n"); + NDPI_LOG_DBG(ndpi_struct, "search for MEGACO\n"); if(packet->udp != NULL) { if((packet->payload_packet_len > 4 && packet->payload[0] == '!' && packet->payload[1] == '/' && @@ -36,14 +40,13 @@ void ndpi_search_megaco(struct ndpi_detection_module_struct *ndpi_struct, struct packet->payload[2] == 'G' && packet->payload[3] == 'A' && packet->payload[4] == 'C' && packet->payload[5] == 'O' && packet->payload[6] == '/' && packet->payload[7] == '1' && packet->payload[8] == ' ' && packet->payload[9] == '[')) { - NDPI_LOG(NDPI_PROTOCOL_MEGACO, ndpi_struct, NDPI_LOG_DEBUG, "found MEGACO.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MEGACO\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MEGACO, NDPI_PROTOCOL_UNKNOWN); return; } } - NDPI_LOG(NDPI_PROTOCOL_MEGACO, ndpi_struct, NDPI_LOG_DEBUG, "exclude MEGACO.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MEGACO); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mgcp.c b/src/lib/protocols/mgcp.c index e16091642..69fe33fac 100644 --- a/src/lib/protocols/mgcp.c +++ b/src/lib/protocols/mgcp.c @@ -20,10 +20,16 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MGCP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MGCP + +#include "ndpi_api.h" + + static void ndpi_int_mgcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -39,40 +45,39 @@ void ndpi_search_mgcp(struct ndpi_detection_module_struct *ndpi_struct, struct n u_int16_t pos = 5; - if (packet->payload_packet_len < 8) { - goto mgcp_excluded; - } - - /* packet must end with 0x0d0a or with 0x0a */ - if (packet->payload[packet->payload_packet_len - 1] != 0x0a) { - goto mgcp_excluded; - } - - if (packet->payload[0] != 'A' && packet->payload[0] != 'C' && packet->payload[0] != 'D' && - packet->payload[0] != 'E' && packet->payload[0] != 'M' && packet->payload[0] != 'N' && - packet->payload[0] != 'R') { - goto mgcp_excluded; - } - if (memcmp(packet->payload, "AUEP ", 5) != 0 && memcmp(packet->payload, "AUCX ", 5) != 0 && - memcmp(packet->payload, "CRCX ", 5) != 0 && memcmp(packet->payload, "DLCX ", 5) != 0 && - memcmp(packet->payload, "EPCF ", 5) != 0 && memcmp(packet->payload, "MDCX ", 5) != 0 && - memcmp(packet->payload, "NTFY ", 5) != 0 && memcmp(packet->payload, "RQNT ", 5) != 0 && - memcmp(packet->payload, "RSIP ", 5) != 0) { - goto mgcp_excluded; - } - // now search for string "MGCP " in the rest of the message - while ((pos + 4) < packet->payload_packet_len) { - if (memcmp(&packet->payload[pos], "MGCP ", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MGCP, ndpi_struct, NDPI_LOG_DEBUG, "MGCP match.\n"); - ndpi_int_mgcp_add_connection(ndpi_struct, flow); - return; + NDPI_LOG_DBG(ndpi_struct, "search MGCP\n"); + + do { + if (packet->payload_packet_len < 8) break; + + /* packet must end with 0x0d0a or with 0x0a */ + if (packet->payload[packet->payload_packet_len - 1] != 0x0a) break; + + if (packet->payload[0] != 'A' && packet->payload[0] != 'C' && packet->payload[0] != 'D' && + packet->payload[0] != 'E' && packet->payload[0] != 'M' && packet->payload[0] != 'N' && + packet->payload[0] != 'R') + break; + + if (memcmp(packet->payload, "AUEP ", 5) != 0 && memcmp(packet->payload, "AUCX ", 5) != 0 && + memcmp(packet->payload, "CRCX ", 5) != 0 && memcmp(packet->payload, "DLCX ", 5) != 0 && + memcmp(packet->payload, "EPCF ", 5) != 0 && memcmp(packet->payload, "MDCX ", 5) != 0 && + memcmp(packet->payload, "NTFY ", 5) != 0 && memcmp(packet->payload, "RQNT ", 5) != 0 && + memcmp(packet->payload, "RSIP ", 5) != 0) + break; + + // now search for string "MGCP " in the rest of the message + while ((pos + 4) < packet->payload_packet_len) { + if (memcmp(&packet->payload[pos], "MGCP ", 5) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found MGCP\n"); + ndpi_int_mgcp_add_connection(ndpi_struct, flow); + return; + } + pos++; } - pos++; - } - mgcp_excluded: - NDPI_LOG(NDPI_PROTOCOL_MGCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude MGCP.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MGCP); + } while(0); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mms.c b/src/lib/protocols/mms.c index d6b4edbca..42391b5fc 100644 --- a/src/lib/protocols/mms.c +++ b/src/lib/protocols/mms.c @@ -23,10 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_CONTENT_MMS +#define NDPI_CURRENT_PROTO NDPI_CONTENT_MMS + +#include "ndpi_api.h" + static void ndpi_int_mms_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -39,9 +43,7 @@ void ndpi_search_mms_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - + NDPI_LOG_DBG(ndpi_struct, "search MMS\n"); /* search MSMMS packets */ if (packet->payload_packet_len >= 20) { @@ -49,7 +51,7 @@ void ndpi_search_mms_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && packet->payload[5] == 0xfa && packet->payload[6] == 0x0b && packet->payload[7] == 0xb0 && packet->payload[12] == 0x4d && packet->payload[13] == 0x4d && packet->payload[14] == 0x53 && packet->payload[15] == 0x20) { - NDPI_LOG(NDPI_CONTENT_MMS, ndpi_struct, NDPI_LOG_DEBUG, "MMS: MSMMS Request found \n"); + NDPI_LOG_INFO(ndpi_struct, "found MMS: MSMMS Request \n"); flow->l4.tcp.mms_stage = 1 + packet->packet_direction; return; } @@ -59,7 +61,7 @@ void ndpi_search_mms_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && packet->payload[6] == 0x0b && packet->payload[7] == 0xb0 && packet->payload[12] == 0x4d && packet->payload[13] == 0x4d && packet->payload[14] == 0x53 && packet->payload[15] == 0x20) { - NDPI_LOG(NDPI_CONTENT_MMS, ndpi_struct, NDPI_LOG_DEBUG, "MMS: MSMMS Response found \n"); + NDPI_LOG_INFO(ndpi_struct, "found MMS: MSMMS Response \n"); ndpi_int_mms_add_connection(ndpi_struct, flow); return; } @@ -67,12 +69,11 @@ void ndpi_search_mms_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc #ifdef NDPI_PROTOCOL_HTTP if (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { #endif /* NDPI_PROTOCOL_HTTP */ - NDPI_LOG(NDPI_CONTENT_MMS, ndpi_struct, NDPI_LOG_DEBUG, "MMS: exclude\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_CONTENT_MMS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); #ifdef NDPI_PROTOCOL_HTTP } else { - NDPI_LOG(NDPI_CONTENT_MMS, ndpi_struct, NDPI_LOG_DEBUG, "MMS avoid early exclude from http\n"); + NDPI_LOG_DBG(ndpi_struct, "MMS avoid early exclude from http\n"); } #endif /* NDPI_PROTOCOL_HTTP */ diff --git a/src/lib/protocols/mpegts.c b/src/lib/protocols/mpegts.c index 4970147e1..3558bdce7 100644 --- a/src/lib/protocols/mpegts.c +++ b/src/lib/protocols/mpegts.c @@ -19,16 +19,19 @@ * */ - -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MPEGTS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MPEGTS + +#include "ndpi_api.h" + void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_MPEGTS, ndpi_struct, NDPI_LOG_DEBUG, "search for MPEGTS.\n"); + NDPI_LOG_DBG(ndpi_struct, "search MPEGTS\n"); if((packet->udp != NULL) && ((packet->payload_packet_len % 188) == 0)) { u_int i, num_chunks = packet->payload_packet_len / 188; @@ -40,13 +43,13 @@ void ndpi_search_mpegts(struct ndpi_detection_module_struct *ndpi_struct, struct } /* This looks MPEG TS */ + NDPI_LOG_INFO(ndpi_struct, "found MPEGTS\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MPEGTS, NDPI_PROTOCOL_UNKNOWN); return; } no_mpegts: - NDPI_LOG(NDPI_PROTOCOL_MPEGTS, ndpi_struct, NDPI_LOG_DEBUG, "Excluded MPEGTS.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MPEGTS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mqtt.c b/src/lib/protocols/mqtt.c index 37c469066..950dde5d1 100644 --- a/src/lib/protocols/mqtt.c +++ b/src/lib/protocols/mqtt.c @@ -21,9 +21,15 @@ * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_MQTT +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MQTT + +#include "ndpi_api.h" + + /** * The type of control messages in mqtt version 3.1.1 * see http://docs.oasis-open.org/mqtt/mqtt/v3.1.1 @@ -52,7 +58,7 @@ static void ndpi_int_mqtt_add_connection (struct ndpi_detection_module_struct *n struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_MQTT,NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt\n"); } /** @@ -61,95 +67,96 @@ static void ndpi_int_mqtt_add_connection (struct ndpi_detection_module_struct *n void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt search called...\n"); + u_int8_t rl,pt,flags; + + NDPI_LOG_DBG(ndpi_struct, "search Mqtt\n"); struct ndpi_packet_struct *packet = &flow->packet; if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt detection...\n"); if (flow->packet_counter > 10) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt .. mandatory header not found!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> Mqtt header: %4x%4x%4x%4x [len: %u]\n", + NDPI_LOG_DBG2(ndpi_struct, "====>>>> Mqtt header: %4x%4x%4x%4x [len: %u]\n", packet->payload[0], packet->payload[1], packet->payload[2], packet->payload[3], packet->payload_packet_len); if (packet->payload_packet_len < 2) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt .. mandatory header not found!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. mandatory header not found!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } if (packet->payload_packet_len > 258) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt .. maximum packet size exceeded!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. maximum packet size exceeded!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } // we extract the remaining length - u_int8_t rl = (u_int8_t) (packet->payload[1]); + rl = (u_int8_t) (packet->payload[1]); if (packet->payload_packet_len != (rl + 2)) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt .. packet size exceeded!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. packet size exceeded!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } // we extract the packet type - u_int8_t pt = (u_int8_t) ((packet->payload[0] & 0xF0) >> 4); - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> Mqtt packet type: [%d]\n",pt); + pt = (u_int8_t) ((packet->payload[0] & 0xF0) >> 4); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> Mqtt packet type: [%d]\n",pt); if ((pt == 0) || (pt == 15)) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt .. invalid packet type!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt .. invalid packet type!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } // we extract the flags - u_int8_t flags = (u_int8_t) (packet->payload[0] & 0x0F); - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> Mqtt flags type: [%d]\n",flags); + flags = (u_int8_t) (packet->payload[0] & 0x0F); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> Mqtt flags type: [%d]\n",flags); // first stage verification if (((pt == CONNECT) || (pt == CONNACK) || (pt == PUBACK) || (pt == PUBREC) || (pt == PUBCOMP) || (pt == SUBACK) || (pt == UNSUBACK) || (pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) && (flags > 0)) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid Packet-Flag combination flag!=0\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=0\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } if (((pt == PUBREL) || (pt == SUBSCRIBE) || (pt == UNSUBSCRIBE)) && (flags != 2)) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid Packet-Flag combination flag!=2\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Flag combination flag!=2\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> Passed first stage of identification\n"); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed first stage of identification\n"); // second stage verification (no payload, just variable headers) if ((pt == CONNACK) || (pt == PUBACK) || (pt == PUBREL) || (pt == PUBREC) || (pt == PUBCOMP) || (pt == UNSUBACK)) { if (packet->payload_packet_len != 4) { // these packets are always 4 bytes long - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid Packet-Length < 4 \n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length < 4 \n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } else { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found CONNACK/PUBACK/PUBREL/PUBREC/PUBCOMP/UNSUBACK\n"); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt CONNACK/PUBACK/PUBREL/PUBREC/PUBCOMP/UNSUBACK\n"); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } } if ((pt == PINGREQ) || (pt == PINGRESP) || (pt == DISCONNECT)) { if (packet->payload_packet_len != 2) { // these packets are always 2 bytes long - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid Packet-Length <2 \n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid Packet-Length <2 \n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } else { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found PING/PINGRESP/DISCONNECT\n"); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt PING/PINGRESP/DISCONNECT\n"); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> Passed second stage of identification\n"); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed second stage of identification\n"); // third stage verification (payload) if (pt == CONNECT) { if (packet->payload_packet_len >= 8 && memcmp(&(packet->payload[4]),"MQTT",4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found CONNECT\n"); + NDPI_LOG_DBG(ndpi_struct, "found Mqtt CONNECT\n"); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } else { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid CONNECT\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid CONNECT\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } @@ -160,79 +167,78 @@ void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t retain = (u_int8_t) (flags & 0x01); u_int8_t dup = (u_int8_t) (flags & 0x04); if (qos > 2) { // qos values possible are 0,1,2 - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid PUBLISH qos\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } if (retain > 1) { // retain flag possible 0,1 - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid PUBLISH retain\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH retain\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } if (dup > 1) { // dup flag possible 0,1 - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid PUBLISH dup\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH dup\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } if (qos == 0) { if (dup != 0) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 and dup combination\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } if (packet->payload_packet_len < 5) { // at least topic (3Bytes + 2Bytes fixed header) - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid PUBLISH qos0 size\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos0 size\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } } if ((qos == 1) || (qos == 2)) { if (packet->payload_packet_len < 7 ) { // at least topic + pkt identifier (3Bytes + 2Bytes + 2Bytes fixed header) - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid PUBLISH qos1&2\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid PUBLISH qos1&2\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } } - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found PUBLISH\n"); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt PUBLISH\n"); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } if (pt == SUBSCRIBE) { if (packet->payload_packet_len < 8) { // at least one topic+filter is required in the payload - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid SUBSCRIBE\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBSCRIBE\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } else { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found SUBSCRIBE\n"); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBSCRIBE\n"); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } } if (pt == SUBACK ) { if (packet->payload_packet_len <5 ) { // must have at least a response code - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid SUBACK\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid SUBACK\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } else { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found SUBACK\n"); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt SUBACK\n"); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } } if (pt == UNSUBSCRIBE) { if (packet->payload_packet_len < 7) { // at least a topic - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Excluding Mqtt invalid UNSUBSCRIBE\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding Mqtt invalid UNSUBSCRIBE\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); return; } else { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt found UNSUBSCRIBE\n",pt); + NDPI_LOG_INFO(ndpi_struct, "found Mqtt UNSUBSCRIBE\n",pt); ndpi_int_mqtt_add_connection(ndpi_struct,flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> Passed third stage of identification"); - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Reached the end excluding Mqtt ...\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MQTT); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> Passed third stage of identification"); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /** @@ -241,7 +247,6 @@ void ndpi_search_mqtt (struct ndpi_detection_module_struct *ndpi_struct, void init_mqtt_dissector (struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - NDPI_LOG(NDPI_PROTOCOL_MQTT, ndpi_struct, NDPI_LOG_DEBUG, "Mqtt dissector init...\n"); ndpi_set_bitmask_protocol_detection ("MQTT", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_MQTT, ndpi_search_mqtt, diff --git a/src/lib/protocols/msn.c b/src/lib/protocols/msn.c index 2938d39b8..4c5b73dcd 100644 --- a/src/lib/protocols/msn.c +++ b/src/lib/protocols/msn.c @@ -21,10 +21,16 @@ * along with nDPI. If not, see . * */ -#include "ndpi_api.h" + +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_MSN +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MSN + +#include "ndpi_api.h" + #define MAX_PACKETS_FOR_MSN 100 static void ndpi_int_msn_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -59,17 +65,16 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct u_int16_t plen; u_int16_t status = 0; - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN tcp detection...\n"); #ifdef NDPI_PROTOCOL_SSL if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "msn ssl ft test\n"); + NDPI_LOG_DBG2(ndpi_struct, "msn ssl ft test\n"); if(flow->packet_counter < 10) { if(flow->packet_counter == 7 && packet->payload_packet_len > 300) { if(memcmp(packet->payload + 24, "MSNSLP", 6) == 0 || (get_u_int32_t(packet->payload, 0) == htonl(0x30000000) && get_u_int32_t(packet->payload, 4) == 0x00000000)) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "detected MSN File Transfer, ifdef ssl.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer, ifdef ssl\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -77,12 +82,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct if(flow->packet_counter >= 5 && flow->packet_counter <= 10 && (get_u_int32_t(packet->payload, 0) == htonl(0x18000000) && get_u_int32_t(packet->payload, 4) == 0x00000000)) { flow->l4.tcp.msn_ssl_ft++; - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, + NDPI_LOG_DBG2(ndpi_struct, "increased msn ft ssl stage to: %u at packet nr: %u\n", flow->l4.tcp.msn_ssl_ft, flow->packet_counter); if (flow->l4.tcp.msn_ssl_ft == 2) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "detected MSN File Transfer, ifdef ssl 2.\n"); + NDPI_LOG_INFO(ndpi_struct, + "found MSN File Transfer, ifdef ssl 2.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); } return; @@ -109,18 +114,13 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct && ((ntohl(get_u_int32_t(packet->payload, 24)) == 0x000f0004 && ntohl(get_u_int32_t(packet->payload, 28)) == 0x72c64bc6) || (ntohl(get_u_int32_t(packet->payload, 20)) == 0x000f0004 && ntohl(get_u_int32_t(packet->payload, 24)) == 0x72c64bc6))) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, + NDPI_LOG_INFO(ndpi_struct, "found MSN in packets that also contain voice.messenger.live.com.\n"); /* TODO this is an alternative pattern for video detection */ /* if (packet->payload_packet_len > 100 && get_u_int16_t(packet->payload, 86) == htons(0x05dc)) { */ - if(packet->payload_packet_len > 101 && packet->payload[101] == 0x02) { - ndpi_int_msn_add_connection(ndpi_struct, flow); - } else { - ndpi_int_msn_add_connection(ndpi_struct, flow); - } - + ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -133,14 +133,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct if (memcmp(&packet->payload[packet->payload_packet_len - 6], "CVR", 3) == 0 || memcmp(&packet->payload[packet->payload_packet_len - 8], "MSNP", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "found MSN by pattern VER...CVR/MSNP ODOA.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN by pattern VER...CVR/MSNP ODOA\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } if (ndpi_match_strprefix(&packet->payload[4], packet->payload_packet_len-4, "MSNFT")) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "found MSN FT by pattern VER MSNFT...0d0a.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN FT by pattern VER MSNFT...0d0a\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -157,6 +155,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len > NDPI_STATICSTRING_LEN("Messenger/") && memcmp(packet->user_agent_line.ptr, "Messenger/", NDPI_STATICSTRING_LEN("Messenger/")) == 0) { + NDPI_LOG_INFO(ndpi_struct, "found MSN Messenger/\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -184,8 +183,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") && memcmp(packet->content_line.ptr, "text/x-msnmsgr", NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "found MSN by pattern POST http:// .... application/x-msn-messenger.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN POST application/x-msn-messenger\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -209,16 +207,14 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct for(c = 13; c < 50; c++) { if(memcmp(&packet->payload[c], "/", 1) == 0) { if(memcmp(&packet->payload[c], "/gateway/gateway.dll", 20) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "found pattern http://.../gateway/gateway.ddl.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found pattern http://.../gateway/gateway.ddl\n"); status = 1; break; } } } } else if((memcmp(&packet->payload[5], "/gateway/gateway.dll", 20) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "found pattern http://.../gateway/gateway.ddl.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found pattern http://.../gateway/gateway.ddl\n"); status = 1; } } @@ -239,7 +235,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct if ((src != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0) || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0)) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN with pattern text/xml; charset=utf-8.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN with pattern text/xml; charset=utf-8\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -248,10 +244,8 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct || memcmp(packet->line[a].ptr, "VER ", 4) == 0 || memcmp(packet->line[a].ptr, "ANS ", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "found MSN with pattern text/sml; charset0utf-8.\n"); - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, - NDPI_LOG_TRACE, "MSN xml CVS / VER / ANS found\n"); + NDPI_LOG_DBG2(ndpi_struct, "found MSN with pattern text/sml; charset0utf-8\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN xml CVS / VER / ANS found\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -280,13 +274,13 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") && memcmp(packet->content_line.ptr, "text/x-msnmsgr", NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, - "HTTP/1.0 200 OK .... application/x-msn-messenger.\n"); + NDPI_LOG_INFO(ndpi_struct, + "found MSN application/x-msn-messenger.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } if(ndpi_int_find_xmsn(ndpi_struct, flow) == 1) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... X-MSN.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN X-MSN\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -296,7 +290,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct /* now block proxy connection */ if(packet->payload_packet_len >= 42) { if(memcmp(packet->payload, "CONNECT messenger.hotmail.com:1863 HTTP/1.", 42) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN with pattern CONNECT messenger.hotmail.com:1863 HTTP/1..\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN with pattern CONNECT messenger.hotmail.com:1863 HTTP/1.\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -322,7 +316,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct while (plen < endlen) { if (ndpi_check_for_email_address(ndpi_struct, flow, plen) != 0) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found mail address\n"); + NDPI_LOG_DBG2(ndpi_struct, "found mail address\n"); break; } if (packet->payload_packet_len > plen + 1 @@ -334,7 +328,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct goto ndpi_msn_exclude; } } - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "found MSN with pattern USR/ANS ...mail_address.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN with pattern USR/ANS ...mail_address\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -362,12 +356,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct (packet->content_line.len >= NDPI_STATICSTRING_LEN("text/x-msnmsgr") && memcmp(packet->content_line.ptr, "text/x-msnmsgr", NDPI_STATICSTRING_LEN("text/x-msnmsgr")) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... application/x-msn-messenger.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN application/x-msn-messenger\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } if(ndpi_int_find_xmsn(ndpi_struct, flow) == 1) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "HTTP/1.0 200 OK .... X-MSN.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN X-MSN\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -381,7 +375,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) != 0)) { if (flow->packet_counter == 1 && packet->payload_packet_len > 12 && memcmp(packet->payload, "recipientid=", 12) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "detected file transfer.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN file transfer\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); return; } @@ -396,7 +390,7 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct if((packet->payload_packet_len == 4 || packet->payload_packet_len == 8) && get_u_int32_t(packet->payload, 0) == htonl(0x04000000)) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "maybe first TCP MSN detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe first TCP MSN detected\n"); if(packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 4) == htonl(0x666f6f00)) { flow->l4.tcp.msn_stage = 5 + packet->packet_direction; @@ -409,12 +403,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct } else if (flow->l4.tcp.msn_stage == 1 + packet->packet_direction) { if (packet->payload_packet_len > 10 && get_u_int32_t(packet->payload, 0) == htonl(0x666f6f00)) { ndpi_int_msn_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 1\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer 1\n"); return; } /* did not see this pattern in any trace */ if (packet->payload_packet_len == 56 && get_u_int32_t(packet->payload, 16) == 0) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "maybe Second TCP MSN detected\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe Second TCP MSN detected\n"); flow->l4.tcp.msn_stage = 3 + packet->packet_direction; return; } @@ -423,30 +417,30 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct } else if (flow->l4.tcp.msn_stage == 2 - packet->packet_direction && packet->payload_packet_len == 4 && get_u_int32_t(packet->payload, 0) == htonl(0x30000000)) { ndpi_int_msn_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 2\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer 2\n"); return; } else if ((flow->l4.tcp.msn_stage == 3 + packet->packet_direction) || (flow->l4.tcp.msn_stage == 4 - packet->packet_direction)) { if (packet->payload_packet_len == 4 && get_u_int32_t(packet->payload, 0) == htonl(0x30000000)) { ndpi_int_msn_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 2\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer 2\n"); return; } } else if (flow->l4.tcp.msn_stage == 6 - packet->packet_direction) { if ((packet->payload_packet_len == 4) && (get_u_int32_t(packet->payload, 0) == htonl(0x10000000) || get_u_int32_t(packet->payload, 0) == htonl(0x30000000))) { ndpi_int_msn_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer 3\n"); return; } } else if (flow->l4.tcp.msn_stage == 5 + packet->packet_direction) { if ((packet->payload_packet_len == 20) && get_u_int32_t(packet->payload, 0) == htonl(0x10000000)) { ndpi_int_msn_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN File Transfer detected 3\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN File Transfer 3\n"); return; } } - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_DEBUG, "msn 7.\n"); + NDPI_LOG_DBG(ndpi_struct, "msn 7\n"); if (flow->packet_counter <= MAX_PACKETS_FOR_MSN) { if (memcmp(&packet->payload[0], "MSG ", 4) == 0 @@ -459,13 +453,12 @@ static void ndpi_search_msn_tcp(struct ndpi_detection_module_struct *ndpi_struct || memcmp(&packet->payload[0], "XFR ", 4) == 0) { ndpi_int_msn_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN\n"); return; } } - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "MSN tcp excluded.\n"); ndpi_msn_exclude: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSN); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } /* search over UDP */ @@ -482,7 +475,7 @@ static void ndpi_search_msn_udp_misc(struct ndpi_detection_module_struct if ((src == NULL || NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) == 0) && (dst == NULL || NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_MSN) == 0)) { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSN); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -490,7 +483,7 @@ static void ndpi_search_msn_udp_misc(struct ndpi_detection_module_struct if (packet->payload_packet_len == 20 && get_u_int32_t(packet->payload, 4) == 0 && packet->payload[9] == 0 && get_u_int16_t(packet->payload, 10) == htons(0x0100)) { - NDPI_LOG(NDPI_PROTOCOL_MSN, ndpi_struct, NDPI_LOG_TRACE, "msn udp misc data connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found MSN udp misc data connection\n"); ndpi_int_msn_add_connection(ndpi_struct, flow); } @@ -504,6 +497,7 @@ void ndpi_search_msn(struct ndpi_detection_module_struct *ndpi_struct, struct nd { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search msn\n"); /* this if request should always be true */ if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSN) == 0) { /* we deal with tcp now */ diff --git a/src/lib/protocols/mssql_tds.c b/src/lib/protocols/mssql_tds.c index 42cecb8e2..75507fd52 100644 --- a/src/lib/protocols/mssql_tds.c +++ b/src/lib/protocols/mssql_tds.c @@ -22,10 +22,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MSSQL_TDS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MSSQL_TDS + +#include "ndpi_api.h" + + struct tds_packet_header { u_int8_t type; u_int8_t status; @@ -46,24 +51,24 @@ void ndpi_search_mssql_tds(struct ndpi_detection_module_struct *ndpi_struct, str struct ndpi_packet_struct *packet = &flow->packet; struct tds_packet_header *h = (struct tds_packet_header*) packet->payload; + NDPI_LOG_DBG(ndpi_struct, "search mssql_tds\n"); + if(packet->payload_packet_len < sizeof(struct tds_packet_header)) { - NDPI_LOG(NDPI_PROTOCOL_MSSQL_TDS, ndpi_struct, NDPI_LOG_DEBUG, "exclude mssql_tds\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSSQL_TDS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } if((h->type >= 1 && h->type <= 8) || (h->type >= 14 && h->type <= 18)) { if(h->status == 0x00 || h->status == 0x01 || h->status == 0x02 || h->status == 0x04 || h->status == 0x08 || h->status == 0x09 || h->status == 0x10) { if(ntohs(h->length) == packet->payload_packet_len && h->window == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_MSSQL_TDS, ndpi_struct, NDPI_LOG_DEBUG, "found mssql_tds\n"); + NDPI_LOG_INFO(ndpi_struct, "found mssql_tds\n"); ndpi_int_mssql_tds_add_connection(ndpi_struct, flow); return; } } } - NDPI_LOG(NDPI_PROTOCOL_MSSQL_TDS, ndpi_struct, NDPI_LOG_DEBUG, "exclude mssql_tds\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MSSQL_TDS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/mysql.c b/src/lib/protocols/mysql.c index e500b2976..d1e695e55 100644 --- a/src/lib/protocols/mysql.c +++ b/src/lib/protocols/mysql.c @@ -23,10 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_MYSQL +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MYSQL + +#include "ndpi_api.h" + + static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -36,9 +41,9 @@ static void ndpi_int_mysql_add_connection(struct ndpi_detection_module_struct void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + + NDPI_LOG_DBG(ndpi_struct, "search MySQL\n"); - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; if(packet->tcp) { if (packet->payload_packet_len > 38 //min length && get_u_int16_t(packet->payload, 0) == packet->payload_packet_len - 4 //first 3 bytes are length @@ -55,7 +60,7 @@ void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, str && get_u_int64_t(packet->payload, a + 19) == 0x0ULL //13 more && get_u_int32_t(packet->payload, a + 27) == 0x0 //filler bytes && get_u_int8_t(packet->payload, a + 31) == 0x0) { - NDPI_LOG(NDPI_PROTOCOL_MYSQL, ndpi_struct, NDPI_LOG_DEBUG, "MySQL detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found MySQL\n"); ndpi_int_mysql_add_connection(ndpi_struct, flow); return; } @@ -65,7 +70,7 @@ void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, str } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_MYSQL); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/netbios.c b/src/lib/protocols/netbios.c index c899086eb..d10a33b1a 100644 --- a/src/lib/protocols/netbios.c +++ b/src/lib/protocols/netbios.c @@ -23,10 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_NETBIOS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NETBIOS + +#include "ndpi_api.h" + + struct netbios_header { u_int16_t transaction_id, flags, questions, answer_rrs, authority_rrs, additional_rrs; }; @@ -81,10 +86,10 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc u_int16_t dport; char name[64]; + NDPI_LOG_DBG(ndpi_struct, "search netbios\n"); if(packet->udp != NULL) { dport = ntohs(packet->udp->dest); - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, "netbios udp start\n"); /*check standard NETBIOS over udp to port 137 */ if((dport == 137 || 0) && packet->payload_packet_len >= 50) { @@ -95,16 +100,14 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.questions = ntohs(h.questions), h.answer_rrs = ntohs(h.answer_rrs), h.authority_rrs = ntohs(h.authority_rrs), h.additional_rrs = ntohs(h.additional_rrs); - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios port 137 and payload_packet_len 50\n"); + NDPI_LOG_DBG(ndpi_struct, "found netbios port 137 and payload_packet_len 50\n"); if(h.flags == 0 && h.questions == 1 && h.answer_rrs == 0 && h.authority_rrs == 0 && h.additional_rrs == 0) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios with questions = 1 and answers = 0, authority = 0 \n"); + NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; @@ -114,8 +117,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 0 && h.authority_rrs == 0) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n"); + NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 and broadcast \n"); if(ndpi_netbios_name_interpret((char*)&packet->payload[12], name, sizeof(name)) > 0) snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); @@ -128,8 +130,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 0 && h.authority_rrs == 0 && h.additional_rrs == 1) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios with questions = 1 and answers, authority, additional = 0 \n"); + NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers, authority, additional = 0 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; @@ -139,8 +140,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 0 && h.authority_rrs == 0 && h.additional_rrs == 1) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios with questions = 1 and answers = 0, authority = 0 \n"); + NDPI_LOG_INFO(ndpi_struct, "found netbios with questions = 1 and answers = 0, authority = 0 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; @@ -150,8 +150,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 1 && h.authority_rrs == 0 && h.additional_rrs == 0) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios with flag 8400 questions = 0 and answers = 1, authority, additional = 0 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); @@ -162,8 +161,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 1 && h.authority_rrs == 0 && h.additional_rrs == 0) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios with flag 8500 questions = 0 and answers = 1, authority, additional = 0 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); @@ -174,8 +172,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 0 && h.authority_rrs == 0 && h.additional_rrs == 1) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios with flag 2910, questions = 1 and answers, authority=0, additional = 1 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); @@ -186,8 +183,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 1 && h.authority_rrs == 0 && h.additional_rrs == 0) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios with flag ad86 questions = 0 and answers = 1, authority, additional = 0 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); @@ -198,8 +194,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc h.answer_rrs == 0 && h.authority_rrs == 0 && h.additional_rrs == 0) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios with flag 0110 questions = 1 and answers = 0, authority, additional = 0 \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); @@ -208,7 +203,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc if((h.flags & 0xf800) == 0) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, "possible netbios name query request\n"); + NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query request\n"); if(get_u_int16_t(packet->payload, 4) == htons(1) && get_u_int16_t(packet->payload, 6) == 0 && @@ -217,12 +212,12 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc /* name is encoded as described in rfc883 */ u_int8_t name_length = packet->payload[12]; - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query request, one question\n"); if(packet->payload_packet_len == 12 + 1 + name_length + 1 + 2 + 2) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query request, length matches\n"); /* null terminated? */ @@ -230,7 +225,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x0020) && get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios name query request\n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; @@ -238,7 +233,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc } } } else if((h.flags & 0xf800) == 0x8000) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query response\n"); if(get_u_int16_t(packet->payload, 4) == 0 && @@ -248,12 +243,12 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc /* name is encoded as described in rfc883 */ u_int8_t name_length = packet->payload[12]; - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios positive name query response, one answer\n"); if(packet->payload_packet_len >= 12 + 1 + name_length + 1 + 2 + 2) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query response, length matches\n"); /* null terminated? */ @@ -261,7 +256,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x0020) && get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios name query response\n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; @@ -274,12 +269,12 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc /* name is encoded as described in rfc883 */ u_int8_t name_length = packet->payload[12]; - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios negative name query response, one answer\n"); if(packet->payload_packet_len >= 12 + 1 + name_length + 1 + 2 + 2) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query response, length matches\n"); /* null terminated? */ @@ -287,7 +282,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x000A) && get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios name query response\n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; @@ -300,12 +295,12 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc /* name is encoded as described in rfc883 */ u_int8_t name_length = packet->payload[12]; - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios redirect name query response, one answer\n"); if(packet->payload_packet_len >= 12 + 1 + name_length + 1 + 2 + 2) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "possible netbios name query response, length matches\n"); /* null terminated? */ @@ -313,7 +308,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc get_u_int16_t(packet->payload, 12 + name_length + 2) == htons(0x0002) && get_u_int16_t(packet->payload, 12 + name_length + 4) == htons(0x0001)) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios name query response\n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); return; @@ -332,17 +327,14 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc packet->payload_packet_len >= 14 && ntohs(get_u_int16_t(packet->payload, 10)) == packet->payload_packet_len - 14) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios port 138 and payload length >= 112 \n"); + NDPI_LOG_DBG2(ndpi_struct, "found netbios port 138 and payload length >= 112 \n"); if(packet->payload[0] >= 0x11 && packet->payload[0] <= 0x16) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios with MSG-type 0x11,0x12,0x13,0x14,0x15 or 0x16\n"); + NDPI_LOG_DBG2(ndpi_struct, "found netbios with MSG-type 0x11,0x12,0x13,0x14,0x15 or 0x16\n"); if(ntohl(get_u_int32_t(packet->payload, 4)) == ntohl(packet->iph->saddr)) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios with checked ip-address.\n"); + NDPI_LOG_INFO(ndpi_struct, "found netbios with checked ip-address\n"); if(ndpi_netbios_name_interpret((char*)&packet->payload[12], name, sizeof(name)) > 0) snprintf((char*)flow->host_server_name, sizeof(flow->host_server_name)-1, "%s", name); @@ -357,21 +349,17 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc if(packet->tcp != NULL) { dport = ntohs(packet->tcp->dest); - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, "netbios tcp start\n"); - /* destination port must be 139 */ if(dport == 139) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, "found netbios with destination port 139\n"); + NDPI_LOG_DBG2(ndpi_struct, "found netbios with destination port 139\n"); /* payload_packet_len must be 72 */ if(packet->payload_packet_len == 72) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, "found netbios with payload_packen_len = 72. \n"); + NDPI_LOG_DBG2(ndpi_struct, "found netbios with payload_packen_len = 72. \n"); if(packet->payload[0] == 0x81 && packet->payload[1] == 0 && ntohs(get_u_int16_t(packet->payload, 2)) == 68) { - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found netbios with session request = 81, flags=0 and length od following bytes = 68. \n"); ndpi_int_netbios_add_connection(ndpi_struct, flow); @@ -382,8 +370,7 @@ void ndpi_search_netbios(struct ndpi_detection_module_struct *ndpi_struct, struc } - NDPI_LOG(NDPI_PROTOCOL_NETBIOS, ndpi_struct, NDPI_LOG_DEBUG, "exclude netbios\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NETBIOS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void init_netbios_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) diff --git a/src/lib/protocols/netflow.c b/src/lib/protocols/netflow.c index 54c634263..a553e4b6a 100644 --- a/src/lib/protocols/netflow.c +++ b/src/lib/protocols/netflow.c @@ -18,10 +18,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_NETFLOW + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NETFLOW #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_NETFLOW #ifdef WIN32 extern int gettimeofday(struct timeval * tp, struct timezone * tzp); @@ -95,7 +99,7 @@ struct flow_ver7_rec { u_int32_t router_sc; /* Router which is shortcut by switch */ }; -static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // const u_int8_t *packet_payload = packet->payload; @@ -103,6 +107,8 @@ static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct, time_t now; struct timeval now_tv; + NDPI_LOG_DBG(ndpi_struct, "search netflow\n"); + if((packet->udp != NULL) && (payload_len >= 24)) { u_int16_t version = (packet->payload[0] << 8) + packet->payload[1], uptime_offset; u_int32_t when, *_when; @@ -132,7 +138,7 @@ static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct, } if((expected_len > 0) && (expected_len != payload_len)) { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NETFLOW); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -159,20 +165,13 @@ static void ndpi_check_netflow(struct ndpi_detection_module_struct *ndpi_struct, if(((version == 1) && (when == 0)) || ((when >= 946684800 /* 1/1/2000 */) && (when <= now))) { - NDPI_LOG(NDPI_PROTOCOL_NETFLOW, ndpi_struct, NDPI_LOG_DEBUG, "Found netflow.\n"); + NDPI_LOG_INFO(ndpi_struct, "found netflow\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NETFLOW, NDPI_PROTOCOL_UNKNOWN); return; } } } -void ndpi_search_netflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - NDPI_LOG(NDPI_PROTOCOL_NETFLOW, ndpi_struct, NDPI_LOG_DEBUG, "netflow detection...\n"); - ndpi_check_netflow(ndpi_struct, flow); -} - - void init_netflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("NetFlow", ndpi_struct, detection_bitmask, *id, diff --git a/src/lib/protocols/nfs.c b/src/lib/protocols/nfs.c index 36fc007d6..c074b9d3b 100644 --- a/src/lib/protocols/nfs.c +++ b/src/lib/protocols/nfs.c @@ -23,10 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_NFS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NFS + +#include "ndpi_api.h" + + static void ndpi_int_nfs_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -37,8 +42,7 @@ void ndpi_search_nfs(struct ndpi_detection_module_struct *ndpi_struct, struct nd { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search NFS\n"); u_int8_t offset = 0; if (packet->tcp != NULL) @@ -47,41 +51,41 @@ void ndpi_search_nfs(struct ndpi_detection_module_struct *ndpi_struct, struct nd if (packet->payload_packet_len < (40 + offset)) goto exclude_nfs; - NDPI_LOG(NDPI_PROTOCOL_NFS, ndpi_struct, NDPI_LOG_DEBUG, "NFS user match stage 1\n"); + NDPI_LOG_DBG2(ndpi_struct, "NFS user match stage 1\n"); if (offset != 0 && get_u_int32_t(packet->payload, 0) != htonl(0x80000000 + packet->payload_packet_len - 4)) goto exclude_nfs; - NDPI_LOG(NDPI_PROTOCOL_NFS, ndpi_struct, NDPI_LOG_DEBUG, "NFS user match stage 2\n"); + NDPI_LOG_DBG2(ndpi_struct, "NFS user match stage 2\n"); if (get_u_int32_t(packet->payload, 4 + offset) != 0) goto exclude_nfs; - NDPI_LOG(NDPI_PROTOCOL_NFS, ndpi_struct, NDPI_LOG_DEBUG, "NFS user match stage 3\n"); + NDPI_LOG_DBG2(ndpi_struct, "NFS user match stage 3\n"); if (get_u_int32_t(packet->payload, 8 + offset) != htonl(0x02)) goto exclude_nfs; - NDPI_LOG(NDPI_PROTOCOL_NFS, ndpi_struct, NDPI_LOG_DEBUG, "NFS match stage 3\n"); + NDPI_LOG_DBG2(ndpi_struct, "NFS match stage 3\n"); if (get_u_int32_t(packet->payload, 12 + offset) != htonl(0x000186a5) && get_u_int32_t(packet->payload, 12 + offset) != htonl(0x000186a3) && get_u_int32_t(packet->payload, 12 + offset) != htonl(0x000186a0)) goto exclude_nfs; - NDPI_LOG(NDPI_PROTOCOL_NFS, ndpi_struct, NDPI_LOG_DEBUG, "NFS match stage 4\n"); + NDPI_LOG_DBG2(ndpi_struct, "NFS match stage 4\n"); if (ntohl(get_u_int32_t(packet->payload, 16 + offset)) > 4) goto exclude_nfs; - NDPI_LOG(NDPI_PROTOCOL_NFS, ndpi_struct, NDPI_LOG_DEBUG, "NFS match\n"); + NDPI_LOG_INFO(ndpi_struct, "found NFS\n"); ndpi_int_nfs_add_connection(ndpi_struct, flow); return; exclude_nfs: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NFS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/nintendo.c b/src/lib/protocols/nintendo.c index d4f289d66..8b76f33a6 100644 --- a/src/lib/protocols/nintendo.c +++ b/src/lib/protocols/nintendo.c @@ -21,11 +21,14 @@ * */ - -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_NINTENDO +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NINTENDO + +#include "ndpi_api.h" + static void ndpi_int_nintendo_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t due_to_correlation) { @@ -43,15 +46,14 @@ void ndpi_search_nintendo(struct ndpi_detection_module_struct *ndpi_struct, stru const char nintendo_pattern[] = { 0x32, 0xab, 0x98, 0x64, 0x02 }; if(memcmp(payload, nintendo_pattern, 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_NINTENDO, ndpi_struct, NDPI_LOG_DEBUG, "Found nintendo.\n"); + NDPI_LOG_INFO(ndpi_struct, "found nintendo\n"); ndpi_int_nintendo_add_connection(ndpi_struct, flow, 0); return; } } } - NDPI_LOG(NDPI_PROTOCOL_NINTENDO, ndpi_struct, NDPI_LOG_DEBUG, "Exclude Nintendo.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NINTENDO); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void init_nintendo_dissector(struct ndpi_detection_module_struct *ndpi_struct, diff --git a/src/lib/protocols/noe.c b/src/lib/protocols/noe.c index 814cfc4a0..9899b056b 100644 --- a/src/lib/protocols/noe.c +++ b/src/lib/protocols/noe.c @@ -5,28 +5,32 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_NOE + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NOE #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_NOE static void ndpi_int_noe_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_NOE, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found noe\n"); } void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "search for NOE.\n"); + NDPI_LOG_DBG(ndpi_struct, "search NOE\n"); if(packet->udp != NULL) { - NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating dport over udp\n"); if (packet->payload_packet_len == 1 && ( packet->payload[0] == 0x05 || packet->payload[0] == 0x04 )) { - NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); ndpi_int_noe_add_connection(ndpi_struct, flow); return; } else if((packet->payload_packet_len == 5 || packet->payload_packet_len == 12) && @@ -34,19 +38,18 @@ void ndpi_search_noe(struct ndpi_detection_module_struct *ndpi_struct, struct nd (packet->payload[1] == 0x00 ) && (packet->payload[2] != 0x00 ) && (packet->payload[3] == 0x00 )) { - NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); ndpi_int_noe_add_connection(ndpi_struct, flow); + return; } else if((packet->payload_packet_len >= 25) && (packet->payload[0] == 0x00 && packet->payload[1] == 0x06 && packet->payload[2] == 0x62 && packet->payload[3] == 0x6c)) { - NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "found noe.\n"); ndpi_int_noe_add_connection(ndpi_struct, flow); + return; } } else { - NDPI_LOG(NDPI_PROTOCOL_NOE, ndpi_struct, NDPI_LOG_DEBUG, "exclude NOE.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NOE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/ntp.c b/src/lib/protocols/ntp.c index 6e355c9f8..3b8eb3d7d 100644 --- a/src/lib/protocols/ntp.c +++ b/src/lib/protocols/ntp.c @@ -22,10 +22,13 @@ * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_NTP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_NTP + +#include "ndpi_api.h" static void ndpi_int_ntp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -37,31 +40,28 @@ void ndpi_search_ntp_udp(struct ndpi_detection_module_struct *ndpi_struct, struc { struct ndpi_packet_struct *packet = &flow->packet; - if (!(packet->udp->dest == htons(123) || packet->udp->source == htons(123))) - goto exclude_ntp; - - NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP port detected\n"); - - NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP length detected\n"); + NDPI_LOG_DBG(ndpi_struct, "search NTP\n"); + + if (packet->udp->dest == htons(123) || packet->udp->source == htons(123)) { + NDPI_LOG_DBG2(ndpi_struct, "NTP port and length detected\n"); - if ((((packet->payload[0] & 0x38) >> 3) <= 4)) { - NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "detected NTP."); + if ((((packet->payload[0] & 0x38) >> 3) <= 4)) { - // 38 in binary representation is 00111000 - flow->protos.ntp.version = (packet->payload[0] & 0x38) >> 3; + // 38 in binary representation is 00111000 + flow->protos.ntp.version = (packet->payload[0] & 0x38) >> 3; - if (flow->protos.ntp.version == 2) { - flow->protos.ntp.request_code = packet->payload[3]; - } + if (flow->protos.ntp.version == 2) { + flow->protos.ntp.request_code = packet->payload[3]; + } - ndpi_int_ntp_add_connection(ndpi_struct, flow); - return; + NDPI_LOG_INFO(ndpi_struct, "found NTP\n"); + ndpi_int_ntp_add_connection(ndpi_struct, flow); + return; + } } - - exclude_ntp: - NDPI_LOG(NDPI_PROTOCOL_NTP, ndpi_struct, NDPI_LOG_DEBUG, "NTP excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_NTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } diff --git a/src/lib/protocols/openft.c b/src/lib/protocols/openft.c index c4a10645b..4a86a067f 100644 --- a/src/lib/protocols/openft.c +++ b/src/lib/protocols/openft.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_OPENFT +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENFT + +#include "ndpi_protocols.h" + static void ndpi_int_openft_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -37,21 +41,18 @@ void ndpi_search_openft_tcp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OPENFT, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); + NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines >= 2 && packet->line[1].len > 13 && memcmp(packet->line[1].ptr, "X-OpenftAlias:", 14) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OPENFT, ndpi_struct, NDPI_LOG_DEBUG, "OpenFT detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found OpenFT\n"); ndpi_int_openft_add_connection(ndpi_struct, flow); return; } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OPENFT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/openvpn.c b/src/lib/protocols/openvpn.c index 234f18df8..6756c173d 100644 --- a/src/lib/protocols/openvpn.c +++ b/src/lib/protocols/openvpn.c @@ -21,10 +21,15 @@ * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_OPENVPN +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OPENVPN + +#include "ndpi_api.h" + + #define P_CONTROL_HARD_RESET_CLIENT_V1 (0x01 << 3) #define P_CONTROL_HARD_RESET_CLIENT_V2 (0x07 << 3) #define P_CONTROL_HARD_RESET_SERVER_V1 (0x02 << 3) @@ -81,7 +86,7 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, if (check_pkid_and_detect_hmac_size(ovpn_payload) > 0) { memcpy(flow->ovpn_session_id, ovpn_payload+1, 8); - NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "session key: %02x%02x%02x%02x%02x%02x%02x%02x\n", flow->ovpn_session_id[0], flow->ovpn_session_id[1], flow->ovpn_session_id[2], flow->ovpn_session_id[3], flow->ovpn_session_id[4], flow->ovpn_session_id[5], flow->ovpn_session_id[6], flow->ovpn_session_id[7]); @@ -95,10 +100,12 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, alen = ovpn_payload[P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size)]; session_remote = ovpn_payload + P_PACKET_ID_ARRAY_LEN_OFFSET(hmac_size) + 1 + alen * 4; - if (memcmp(flow->ovpn_session_id, session_remote, 8) == 0) - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); + if (memcmp(flow->ovpn_session_id, session_remote, 8) == 0) { + NDPI_LOG_INFO(ndpi_struct,"found openvpn\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_OPENVPN, NDPI_PROTOCOL_UNKNOWN); + } else { - NDPI_LOG(NDPI_PROTOCOL_OPENVPN, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "key mismatch: %02x%02x%02x%02x%02x%02x%02x%02x\n", session_remote[0], session_remote[1], session_remote[2], session_remote[3], session_remote[4], session_remote[5], session_remote[6], session_remote[7]); @@ -111,8 +118,9 @@ void ndpi_search_openvpn(struct ndpi_detection_module_struct* ndpi_struct, flow->ovpn_counter++; - if (failed) - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OPENVPN); + if (failed) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } } } diff --git a/src/lib/protocols/oracle.c b/src/lib/protocols/oracle.c index 0a12b8676..5fda78672 100644 --- a/src/lib/protocols/oracle.c +++ b/src/lib/protocols/oracle.c @@ -18,11 +18,15 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_ORACLE + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ORACLE #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_ORACLE static void ndpi_int_oracle_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -34,11 +38,11 @@ void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; - NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "search for ORACLE.\n"); + NDPI_LOG_DBG(ndpi_struct, "search ORACLE\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "calculating ORACLE over tcp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating ORACLE over tcp\n"); /* Oracle Database 9g,10g,11g */ if ((dport == 1521 || sport == 1521) && (((packet->payload[0] == 0x07) && (packet->payload[1] == 0xff) && (packet->payload[2] == 0x00)) @@ -46,17 +50,16 @@ void ndpi_search_oracle(struct ndpi_detection_module_struct *ndpi_struct, struct && (packet->payload[1] != 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00)))) { - NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "found oracle.\n"); + NDPI_LOG_INFO(ndpi_struct, "found oracle\n"); ndpi_int_oracle_add_connection(ndpi_struct, flow); } else if (packet->payload_packet_len == 213 && packet->payload[0] == 0x00 && packet->payload[1] == 0xd5 && packet->payload[2] == 0x00 && packet->payload[3] == 0x00 ) { - NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "found oracle.\n"); + NDPI_LOG_INFO(ndpi_struct, "found oracle\n"); ndpi_int_oracle_add_connection(ndpi_struct, flow); } } else { - NDPI_LOG(NDPI_PROTOCOL_ORACLE, ndpi_struct, NDPI_LOG_DEBUG, "exclude ORACLE.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ORACLE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/oscar.c b/src/lib/protocols/oscar.c index d6ca25cde..6dec353a5 100644 --- a/src/lib/protocols/oscar.c +++ b/src/lib/protocols/oscar.c @@ -22,6 +22,11 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_OSCAR + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_OSCAR #include "ndpi_api.h" @@ -69,7 +74,6 @@ #define EMAIL 0x0018 #define IS_EXT 0x0085 -#ifdef NDPI_PROTOCOL_OSCAR static void ndpi_int_oscar_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -146,28 +150,28 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct /* No TLVs */ if(packet->payload_packet_len == 10) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Sign In \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Sign In \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* /\* SCREEN_NAME *\/ */ /* if (get_u_int16_t(packet->payload, 10) == htons(SCREEN_NAME)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x01 *\/ */ /* { */ - /* NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Screen Name \n"); */ + /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Screen Name \n"); */ /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ /* return; */ /* } */ /* /\* PASSWD *\/ */ /* if (get_u_int16_t(packet->payload, 10) == htons(PASSWD)) /\* packet->payload[10] == 0x00 && packet->payload[11] == 0x02 *\/ */ /* { */ - /* NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Password (roasted) \n"); */ + /* NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Password (roasted) \n"); */ /* ndpi_int_oscar_add_connection(ndpi_struct, flow); */ /* return; */ /* } */ /* CLIENT_NAME */ if (get_u_int16_t(packet->payload, 10) == htons(CLIENT_NAME)) /* packet->payload[10] == 0x00 && packet->payload[11] == 0x03 */ { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Client Name \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client Name \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -182,7 +186,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x01) || (get_u_int8_t(packet->payload, packet->payload_packet_len - 1) == 0x03)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Login \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Login \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -191,35 +195,35 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct /* MAJOR_VERSION */ if (get_u_int16_t(packet->payload, 10) == htons(MAJOR_VERSION)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Major_Version \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Major_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* MINOR_VERSION */ if (get_u_int16_t(packet->payload, 10) == htons(MINOR_VERSION)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Minor_Version \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Minor_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* POINT_VERSION */ if (get_u_int16_t(packet->payload, 10) == htons(POINT_VERSION)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Point_Version \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Point_Version \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* BUILD_NUM */ if (get_u_int16_t(packet->payload, 10) == htons(BUILD_NUM)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Build_Num \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Build_Num \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } /* CLIENT_RECONNECT */ if (get_u_int16_t(packet->payload, 10) == htons(CLIENT_RECONNECT)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR - Client_Reconnect \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Client_Reconnect \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -254,7 +258,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct type = 0; if (family == 0 || type == 0) { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OSCAR); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -565,8 +569,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if(excluded == 1) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "exclude oscar.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OSCAR); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } /* flag */ @@ -581,7 +584,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct req_ID = get_u_int32_t(packet->payload, 12); if((req_ID <= ((u_int32_t)-1))) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR Detected \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -595,7 +598,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct */ if (channel == O_ERROR) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR Detected - Error frame \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Error frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -605,7 +608,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct */ if (channel == SIGNOFF) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR Detected - Signoff frame \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Signoff frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -615,7 +618,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct */ if (channel == KEEP_ALIVE) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR Detected - Keep Alive frame \n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR - Keep Alive frame \n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -628,8 +631,8 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); if (packet->host_line.len >= 18 && packet->host_line.ptr != NULL) { if (memcmp(packet->host_line.ptr, "lifestream.aol.com", 18) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, - "OSCAR over HTTP found, POST method\n"); + NDPI_LOG_INFO(ndpi_struct, + "found OSCAR over HTTP, POST method\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -643,7 +646,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct (memcmp(&packet->payload[5], "aim/gromit/aim_express", 22) == 0) || (memcmp(&packet->payload[5], "b/ss/aolwpaim", 13) == 0) || (memcmp(&packet->payload[5], "hss/storage/aimtmpshare", 23) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR over HTTP found, GET /aim/\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP, GET /aim/\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -656,7 +659,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct (memcmp(packet->user_agent_line.ptr, "mobileICQ/", 10) == 0) || (memcmp(packet->user_agent_line.ptr, "AIM%20Free/", NDPI_STATICSTRING_LEN("AIM%20Free/")) == 0) || (memcmp(packet->user_agent_line.ptr, "AIM/", 4) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR over HTTP found\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR over HTTP\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -670,8 +673,8 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct for (i = 0; i < (packet->referer_line.len - 22); i++) { if (packet->referer_line.ptr[i] == 'a') { if (memcmp(&packet->referer_line.ptr[i + 1], "im/gromit/aim_express", 21) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, - "OSCAR over HTTP found : aim/gromit/aim_express\n"); + NDPI_LOG_INFO(ndpi_struct, + "found OSCAR over HTTP : aim/gromit/aim_express\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -682,12 +685,12 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct } if (memcmp(packet->payload, "CONNECT ", 8) == 0) { if (memcmp(packet->payload, "CONNECT login.icq.com:443 HTTP/1.", 33) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR ICQ-HTTP FOUND\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } if (memcmp(packet->payload, "CONNECT login.oscar.aol.com:5190 HTTP/1.", 40) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR AIM-HTTP FOUND\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -697,33 +700,33 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (packet->payload_packet_len > 43 && memcmp(packet->payload, "GET http://http.proxy.icq.com/hello HTTP/1.", 43) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR ICQ-HTTP PROXY FOUND\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR ICQ-HTTP PROXY\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len > 46 && memcmp(packet->payload, "GET http://aimhttp.oscar.aol.com/hello HTTP/1.", 46) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR AIM-HTTP PROXY FOUND\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR AIM-HTTP PROXY\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len > 5 && get_u_int32_t(packet->payload, 0) == htonl(0x05010003)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "Maybe OSCAR Picturetransfer\n"); + NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); return; } if (packet->payload_packet_len == 10 && get_u_int32_t(packet->payload, 0) == htonl(0x05000001) && get_u_int32_t(packet->payload, 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "Maybe OSCAR Picturetransfer\n"); + NDPI_LOG_DBG2(ndpi_struct, "Maybe OSCAR Picturetransfer\n"); return; } if (packet->payload_packet_len >= 70 && memcmp(&packet->payload[packet->payload_packet_len - 26], "\x67\x00\x65\x00\x74\x00\x43\x00\x61\x00\x74\x00\x61\x00\x6c\x00\x6f\x00\x67", 19) == 0) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR PICTURE TRANSFER\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -751,7 +754,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct == 0) )))) { // FILE TRANSFER PATTERN:: OFT3 or OFT2 - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR FILE TRANSFER\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR FILE TRANSFER\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -759,7 +762,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (memcmp(packet->payload, "ODC2", 4) == 0 && memcmp(&packet->payload[6], "\x00\x01\x00\x06", 4) == 0) { //PICTURE TRANSFER PATTERN EXMAPLE:: //4f 44 43 32 00 4c 00 01 00 06 00 00 00 00 00 00 ODC2.L.......... - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR PICTURE TRANSFER\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); return; } @@ -770,7 +773,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct && packet->payload[packet->payload_packet_len - 12] == 'L' && (memcmp(&packet->payload[packet->payload_packet_len - 6], "DEST", 4) == 0) && (memcmp(&packet->payload[packet->payload_packet_len - 2], "\x00\x00", 2) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR PICTURE TRANSFER\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR PICTURE TRANSFER\n"); ndpi_int_oscar_add_connection(ndpi_struct, flow); if (ntohs(packet->tcp->dest) == 443 || ntohs(packet->tcp->source) == 443) { flow->oscar_ssl_voice_stage = 1; @@ -787,7 +790,7 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_OSCAR) { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_OSCAR); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } @@ -795,8 +798,8 @@ static void ndpi_search_oscar_tcp_connect(struct ndpi_detection_module_struct void ndpi_search_oscar(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search OSCAR\n"); if (packet->tcp != NULL) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR :: TCP\n"); ndpi_search_oscar_tcp_connect(ndpi_struct, flow); } } diff --git a/src/lib/protocols/pando.c b/src/lib/protocols/pando.c index b906e7ed9..e5f292550 100644 --- a/src/lib/protocols/pando.c +++ b/src/lib/protocols/pando.c @@ -23,9 +23,14 @@ * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_PANDO + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PANDO + +#include "ndpi_api.h" + static void ndpi_int_pando_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PANDO, NDPI_PROTOCOL_UNKNOWN); } @@ -35,7 +40,7 @@ static void ndpi_check_pando_tcp(struct ndpi_detection_module_struct *ndpi_struc u_int32_t payload_len = packet->payload_packet_len; if (ndpi_match_strprefix(packet->payload, payload_len, "\x0ePan")) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "Found PANDO.\n"); + NDPI_LOG_INFO(ndpi_struct, "Found PANDO\n"); ndpi_int_pando_add_connection(ndpi_struct, flow); } } @@ -45,11 +50,11 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc u_int32_t payload_len = packet->payload_packet_len; /* Check if we so far detected the protocol in the request or not. */ + NDPI_LOG_DBG2(ndpi_struct, "PANDO stage %u: \n", flow->pando_stage); if (flow->pando_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "PANDO stage 0: \n"); if ((payload_len >= 4) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x09)) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "Possible PANDO request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pando_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 @@ -57,7 +62,7 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc } if (ndpi_match_strprefix(packet->payload, payload_len, "UDPA")) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "Possible PANDO request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pando_stage = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 @@ -65,7 +70,7 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc } if (ndpi_match_strprefix(packet->payload, payload_len, "UDPR") || ndpi_match_strprefix(packet->payload, payload_len, "UDPE")) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "Possible PANDO request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PANDO request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pando_stage = packet->packet_direction + 5; // packet_direction 0: stage 5, packet_direction 1: stage 6 @@ -73,7 +78,6 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc } } else if ((flow->pando_stage == 1) || (flow->pando_stage == 2)) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "PANDO stage %u: \n", flow->pando_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pando_stage - packet->packet_direction) == 1) { @@ -82,15 +86,14 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 0) || ((payload_len >= 4) && (packet->payload[0] == 0x00) && (packet->payload[1] == 0x00) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x09))) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "Found PANDO.\n"); + NDPI_LOG_INFO(ndpi_struct, "found PANDO\n"); ndpi_int_pando_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PANDO, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0..\n"); flow->pando_stage = 0; } } else if ((flow->pando_stage == 3) || (flow->pando_stage == 4)) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "PANDO stage %u: \n", flow->pando_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pando_stage - packet->packet_direction) == 3) { @@ -99,15 +102,14 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 0) || (ndpi_match_strprefix(packet->payload, payload_len, "UDPR") || ndpi_match_strprefix(packet->payload, payload_len, "UDPE"))) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "Found PANDO.\n"); + NDPI_LOG_INFO(ndpi_struct, "found PANDO\n"); ndpi_int_pando_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PANDO, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0..\n"); flow->pando_stage = 0; } } else if ((flow->pando_stage == 5) || (flow->pando_stage == 6)) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "PANDO stage %u: \n", flow->pando_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pando_stage - packet->packet_direction) == 5) { @@ -116,10 +118,10 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc /* This is a packet in another direction. Check if we find the proper response. */ if (ndpi_match_strprefix(packet->payload, payload_len, "UDPA")) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "Found PANDO.\n"); + NDPI_LOG_INFO(ndpi_struct, "found PANDO\n"); ndpi_int_pando_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PANDO, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PANDO, resetting the stage to 0\n") flow->pando_stage = 0; } } @@ -128,10 +130,10 @@ static void ndpi_check_pando_udp(struct ndpi_detection_module_struct *ndpi_struc void ndpi_search_pando(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search PANDO\n"); /* Break after 20 packets. */ if (flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_TRACE, "PANDO excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PANDO); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -144,7 +146,6 @@ void ndpi_search_pando(struct ndpi_detection_module_struct *ndpi_struct, struct return; } - NDPI_LOG(NDPI_PROTOCOL_PANDO, ndpi_struct, NDPI_LOG_TRACE, "PANDO detection...\n"); ndpi_check_pando_tcp(ndpi_struct, flow); if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PANDO) { diff --git a/src/lib/protocols/pcanywhere.c b/src/lib/protocols/pcanywhere.c index b1e11e0a2..56b68b567 100644 --- a/src/lib/protocols/pcanywhere.c +++ b/src/lib/protocols/pcanywhere.c @@ -23,9 +23,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_PCANYWHERE +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PCANYWHERE + +#include "ndpi_api.h" + + static void ndpi_int_pcanywhere_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -37,19 +43,15 @@ void ndpi_search_pcanywhere(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->udp != NULL && packet->udp->dest == htons(5632) && packet->payload_packet_len == 2 && (memcmp(packet->payload, "NQ", 2) == 0 || memcmp(packet->payload, "ST", 2) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_PCANYWHERE, ndpi_struct, NDPI_LOG_DEBUG, - "PC Anywhere name or status query detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "PC Anywhere name or status query detected\n"); ndpi_int_pcanywhere_add_connection(ndpi_struct, flow); return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PCANYWHERE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/postgres.c b/src/lib/protocols/postgres.c index f1dc352a7..e23d316e4 100644 --- a/src/lib/protocols/postgres.c +++ b/src/lib/protocols/postgres.c @@ -23,9 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_POSTGRES +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_POSTGRES + +#include "ndpi_api.h" + static void ndpi_int_postgres_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -37,10 +42,6 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int16_t size; if (flow->l4.tcp.postgres_stage == 0) { @@ -65,13 +66,13 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct if (flow->l4.tcp.postgres_stage == 2 - packet->packet_direction) { //SSL accepted if (packet->payload_packet_len == 1 && packet->payload[0] == 'S') { - NDPI_LOG(NDPI_PROTOCOL_POSTGRES, ndpi_struct, NDPI_LOG_DEBUG, "PostgreSQL detected, SSL accepted.\n"); + NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, SSL accepted\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } //SSL denied if (packet->payload_packet_len == 1 && packet->payload[0] == 'N') { - NDPI_LOG(NDPI_PROTOCOL_POSTGRES, ndpi_struct, NDPI_LOG_DEBUG, "PostgreSQL detected, SSL denied.\n"); + NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, SSL denied\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } @@ -81,40 +82,40 @@ void ndpi_search_postgres_tcp(struct ndpi_detection_module_struct if (packet->payload_packet_len > 8 && ntohl(get_u_int32_t(packet->payload, 5)) < 10 && ntohl(get_u_int32_t(packet->payload, 1)) == packet->payload_packet_len - 1 && packet->payload[0] == 0x52) { - NDPI_LOG(NDPI_PROTOCOL_POSTGRES, ndpi_struct, NDPI_LOG_DEBUG, "PostgreSQL detected, no SSL.\n"); + NDPI_LOG_INFO(ndpi_struct, "PostgreSQL detected, no SSL\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } if (flow->l4.tcp.postgres_stage == 6 && ntohl(get_u_int32_t(packet->payload, 1)) == packet->payload_packet_len - 1 && packet->payload[0] == 'p') { - NDPI_LOG(NDPI_PROTOCOL_POSTGRES, ndpi_struct, NDPI_LOG_DEBUG, "found postgres asymmetrically.\n"); + NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } if (flow->l4.tcp.postgres_stage == 5 && packet->payload[0] == 'R') { if (ntohl(get_u_int32_t(packet->payload, 1)) == packet->payload_packet_len - 1) { - NDPI_LOG(NDPI_PROTOCOL_POSTGRES, ndpi_struct, NDPI_LOG_DEBUG, "found postgres asymmetrically.\n"); + NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } size = (u_int16_t)ntohl(get_u_int32_t(packet->payload, 1)) + 1; if (packet->payload[size - 1] == 'S') { if ((size + get_u_int32_t(packet->payload, (size + 1))) == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_POSTGRES, ndpi_struct, NDPI_LOG_DEBUG, "found postgres asymmetrically.\n"); + NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } } size += get_u_int32_t(packet->payload, (size + 1)) + 1; if (packet->payload[size - 1] == 'S') { - NDPI_LOG(NDPI_PROTOCOL_POSTGRES, ndpi_struct, NDPI_LOG_DEBUG, "found postgres asymmetrically.\n"); + NDPI_LOG_INFO(ndpi_struct, "found postgres asymmetrically\n"); ndpi_int_postgres_add_connection(ndpi_struct, flow); return; } } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_POSTGRES); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/pplive.c b/src/lib/protocols/pplive.c index 2e4747159..6f874d7b6 100644 --- a/src/lib/protocols/pplive.c +++ b/src/lib/protocols/pplive.c @@ -24,9 +24,14 @@ * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_PPLIVE + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPLIVE + +#include "ndpi_api.h" + static void ndpi_int_pplive_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPLIVE, NDPI_PROTOCOL_UNKNOWN); } @@ -37,10 +42,10 @@ static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_str /* Check if we so far detected the protocol in the request or not. */ if (flow->pplive_stage1 == 0) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage 0: \n"); if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pplive_stage1 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 @@ -48,7 +53,7 @@ static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_str } if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x42\x01")) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pplive_stage1 = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 @@ -56,7 +61,7 @@ static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_str } if (ndpi_match_strprefix(packet->payload, payload_len, "\x1c\x1c\x32\x01")) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pplive_stage1 = packet->packet_direction + 5; // packet_direction 0: stage 5, packet_direction 1: stage 6 @@ -64,7 +69,7 @@ static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_str } } else if ((flow->pplive_stage1 == 1) || (flow->pplive_stage1 == 2)) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage1); + NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pplive_stage1 - packet->packet_direction) == 1) { @@ -73,15 +78,15 @@ static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_str /* This is a packet in another direction. Check if we find the proper response. */ if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x42\x01") || ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n"); + NDPI_LOG_DBG2(ndpi_struct, "Found PPLIVE\n"); ndpi_int_pplive_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n"); flow->pplive_stage1 = 0; } } else if ((flow->pplive_stage1 == 3) || (flow->pplive_stage1 == 4)) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage1); + NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pplive_stage1 - packet->packet_direction) == 3) { @@ -90,14 +95,14 @@ static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_str /* This is a packet in another direction. Check if we find the proper response. */ if (ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n"); + NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n"); ndpi_int_pplive_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n"); flow->pplive_stage1 = 0; } } else if ((flow->pplive_stage1 == 5) || (flow->pplive_stage1 == 6)) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage1); + NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage1); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pplive_stage1 - packet->packet_direction) == 5) { @@ -106,10 +111,10 @@ static void ndpi_check_pplive_udp1(struct ndpi_detection_module_struct *ndpi_str /* This is a packet in another direction. Check if we find the proper response. */ if (ndpi_match_strprefix(packet->payload, payload_len, "\x1c\x1c\x32\x01")) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n"); + NDPI_LOG_INFO(ndpi_struct, "Found PPLIVE\n"); ndpi_int_pplive_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n"); flow->pplive_stage1 = 0; } } @@ -121,19 +126,17 @@ static void ndpi_check_pplive_udp2(struct ndpi_detection_module_struct *ndpi_str u_int32_t payload_len = packet->payload_packet_len; /* Check if we so far detected the protocol in the request or not. */ + NDPI_LOG_DBG2(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage2); if (flow->pplive_stage2 == 0) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage 0: \n"); if ((payload_len == 57) && ndpi_match_strprefix(packet->payload, payload_len, "\xe9\x03\x41\x01")) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pplive_stage2 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 } } else { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage2); - /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pplive_stage2 - packet->packet_direction) == 1) { return; @@ -141,10 +144,10 @@ static void ndpi_check_pplive_udp2(struct ndpi_detection_module_struct *ndpi_str /* This is a packet in another direction. Check if we find the proper response. */ if (payload_len == 0) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n"); + NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n"); ndpi_int_pplive_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n"); flow->pplive_stage2 = 0; } @@ -156,11 +159,11 @@ static void ndpi_check_pplive_udp3(struct ndpi_detection_module_struct *ndpi_str u_int32_t payload_len = packet->payload_packet_len; /* Check if we so far detected the protocol in the request or not. */ + NDPI_LOG_DBG(ndpi_struct, "PPLIVE stage %u: \n", flow->pplive_stage3); if (flow->pplive_stage3 == 0) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage 0: \n"); if ((payload_len == 94) && (packet->udp->dest == htons(5041) || packet->udp->source == htons(5041) || packet->udp->dest == htons(8303) || packet->udp->source == htons(8303))) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Possible PPLIVE request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible PPLIVE request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->pplive_stage3 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 @@ -168,7 +171,6 @@ static void ndpi_check_pplive_udp3(struct ndpi_detection_module_struct *ndpi_str } } else { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE stage %u: \n", flow->pplive_stage3); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->pplive_stage3 - packet->packet_direction) == 1) { @@ -177,10 +179,10 @@ static void ndpi_check_pplive_udp3(struct ndpi_detection_module_struct *ndpi_str /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 0) || (payload_len == 49) ||(payload_len == 94)) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Found PPLIVE.\n"); + NDPI_LOG_INFO(ndpi_struct, "found PPLIVE\n"); ndpi_int_pplive_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to PPLIVE, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to PPLIVE, resetting the stage to 0..\n"); flow->pplive_stage3 = 0; } } @@ -190,10 +192,11 @@ static void ndpi_check_pplive_udp3(struct ndpi_detection_module_struct *ndpi_str void ndpi_search_pplive(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search PPLIVE\n"); + /* Break after 20 packets. */ if (flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "Exclude PPLIVE.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPLIVE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -201,7 +204,6 @@ void ndpi_search_pplive(struct ndpi_detection_module_struct *ndpi_struct, struct return; } - NDPI_LOG(NDPI_PROTOCOL_PPLIVE, ndpi_struct, NDPI_LOG_DEBUG, "PPLIVE detection...\n"); ndpi_check_pplive_udp1(ndpi_struct, flow); if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_PPLIVE) { diff --git a/src/lib/protocols/ppstream.c b/src/lib/protocols/ppstream.c index 04259def9..08d2f8ade 100644 --- a/src/lib/protocols/ppstream.c +++ b/src/lib/protocols/ppstream.c @@ -20,10 +20,15 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_PPSTREAM +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPSTREAM + +#include "ndpi_api.h" + #define PPS_PORT 17788 @@ -31,6 +36,7 @@ static void ndpi_int_ppstream_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_PPSTREAM, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found PPStream over UDP\n"); } @@ -39,6 +45,7 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search PPStream\n"); /** PPS over TCP is detected inside HTTP dissector */ @@ -66,8 +73,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -91,8 +96,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -106,8 +109,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -131,8 +132,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -152,8 +151,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -172,8 +169,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -194,8 +189,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -210,8 +203,6 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over UDP.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } @@ -223,16 +214,13 @@ void ndpi_search_ppstream(struct ndpi_detection_module_struct /* increase count pkt ppstream over udp */ flow->l4.udp.ppstream_stage++; - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, - "found PPStream over udp.\n"); ndpi_int_ppstream_add_connection(ndpi_struct, flow); return; } } } - /* EXCLUDE PPS */ - NDPI_LOG(NDPI_PROTOCOL_PPSTREAM, ndpi_struct, NDPI_LOG_DEBUG, "exclude PPStream.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPSTREAM); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/pptp.c b/src/lib/protocols/pptp.c index 393604cbb..9bacdeded 100644 --- a/src/lib/protocols/pptp.c +++ b/src/lib/protocols/pptp.c @@ -22,12 +22,13 @@ * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_PPTP -/* include files */ +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_PPTP -#include "ndpi_protocols.h" -#ifdef NDPI_PROTOCOL_PPTP +#include "ndpi_api.h" static void ndpi_int_pptp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -40,9 +41,7 @@ void ndpi_search_pptp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search pptp\n"); if (packet->payload_packet_len >= 10 && get_u_int16_t(packet->payload, 0) == htons(packet->payload_packet_len) && get_u_int16_t(packet->payload, 2) == htons(0x0001) /* message type: control message */ @@ -50,13 +49,12 @@ void ndpi_search_pptp(struct ndpi_detection_module_struct &&(get_u_int16_t(packet->payload, 8) == htons(0x0001) /* control type: start-control-connection-request */ )) { - NDPI_LOG(NDPI_PROTOCOL_PPTP, ndpi_struct, NDPI_LOG_DEBUG, "found pptp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found pptp\n"); ndpi_int_pptp_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_PPTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude pptp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_PPTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/qq.c b/src/lib/protocols/qq.c index 0507efa36..7eae869ac 100644 --- a/src/lib/protocols/qq.c +++ b/src/lib/protocols/qq.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_QQ + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_QQ #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_QQ static void ndpi_int_qq_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ @@ -243,7 +247,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, u_int16_t no_of_patterns = 12, index = 0; - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "search qq udp.\n"); + NDPI_LOG_DBG(ndpi_struct, "search qq udp\n"); if (flow->qq_stage <= 3) { @@ -273,8 +277,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, } */ flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, - "found qq udp pattern 030001 or 000e35 four times.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 030001 or 000e35 four times\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -287,8 +290,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, flow->qq_stage++; // maybe we can test here packet->payload[4] == packet->payload_packet_len if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, - "found qq udp pattern 02 ... 03 four times.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 ... 03 four times\n"); /* if (packet->payload[0] == 0x04) { ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); @@ -309,11 +311,11 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, /* if (flow->qq_stage == 3 && flow->packet_direction_counter[0] > 0 && flow->packet_direction_counter[1] > 0) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern four times.\n"); + NDPI_LOG_DBG(ndpi_struct, "found qq udp pattern four times\n"); ndpi_int_qq_add_connection(ndpi_struct, flow, NDPI_REAL_PROTOCOL); return; } else */ if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern four times.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern four times\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -332,7 +334,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, && packet->payload[packet->payload_packet_len - 1] == 0x03) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 04 1159 ... 03 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; @@ -345,7 +347,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, || packet->payload[packet->payload_packet_len - 1] == 0x03)) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02/06 0100 ... 03/00 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; @@ -357,7 +359,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, && ntohs(get_u_int16_t(packet->payload, 1)) == 0x1131 && packet->payload[packet->payload_packet_len - 1] == 0x03) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 1131 ... 03 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; @@ -370,7 +372,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, get_u_int16_t(packet->payload, 4) == htons(0x0b0b)) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 0203[packet_length_0b0b] three times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; @@ -384,7 +386,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, && ntohs(get_u_int16_t(packet->payload, 2)) == packet->payload_packet_len) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 02 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; @@ -398,18 +400,18 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, if (ndpi_is_valid_qq_packet(packet)) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over udp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over udp\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq packet stage %d\n", flow->qq_stage); + NDPI_LOG_DBG2(ndpi_struct, "found qq packet stage %d\n", flow->qq_stage); return; } if (ndpi_is_valid_qq_ft_packet(packet)) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq ft over udp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq ft over udp\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -420,8 +422,7 @@ static void ndpi_search_qq_udp(struct ndpi_detection_module_struct *ndpi_struct, return; } - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "QQ excluded\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QQ); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -434,22 +435,15 @@ __forceinline static void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - - u_int16_t i = 0; - // u_int16_t a = 0; - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "search qq tcp.\n"); + NDPI_LOG_DBG(ndpi_struct, "search qq tcp\n"); if (packet->payload_packet_len == 39 && get_u_int32_t(packet->payload, 0) == htonl(0x27000000) && get_u_int16_t(packet->payload, 4) == htons(0x0014) && get_u_int32_t(packet->payload, 11) != 0 && get_u_int16_t(packet->payload, packet->payload_packet_len - 2) == htons(0x0000)) { if (flow->qq_stage == 4) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over tcp - maybe ft/audio/video.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over tcp - maybe ft/audio/video\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -496,7 +490,7 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over tcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over tcp\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -506,7 +500,7 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct if (ndpi_is_valid_qq_packet(packet)) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over tcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over tcp\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -516,7 +510,7 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct if (ndpi_is_valid_qq_ft_packet(packet)) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq ft over tcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq ft over tcp\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -537,7 +531,7 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct && get_u_int16_t(packet->payload, 3) == htons(0x0f5f)))) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq udp pattern 02 ... 03 four times.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 02 ... 03 four times\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -561,7 +555,7 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct && packet->payload[packet->payload_packet_len - 1] == 0x03) { flow->qq_stage++; if (flow->qq_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "found qq udp pattern 04 1159 ... 03 four times.\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; @@ -573,9 +567,9 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct if (packet->payload_packet_len > 100 && ((memcmp(packet->payload, "GET", 3) == 0) || (memcmp(packet->payload, "POST", 4) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found GET or POST.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found GET or POST\n"); if (memcmp(packet->payload, "GET /qqfile/qq", 14) == 0) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over tcp GET /qqfile/qq.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET /qqfile/qq\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -583,21 +577,21 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct if (packet->user_agent_line.ptr != NULL && (packet->user_agent_line.len > 7 && memcmp(packet->user_agent_line.ptr, "QQClient", 8) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over tcp GET...QQClient\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET...QQClient\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } for (i = 0; i < packet->parsed_lines; i++) { if (packet->line[i].len > 3 && memcmp(packet->line[i].ptr, "QQ: ", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over tcp GET...QQ: \n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over tcp GET...QQ: \n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } } if (packet->host_line.ptr != NULL) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "host line ptr\n"); + NDPI_LOG_DBG2(ndpi_struct, "host line ptr\n"); if (packet->host_line.len > 11 && memcmp(&packet->host_line.ptr[0], "www.qq.co.za", 12) == 0) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq over tcp Host: www.qq.co.za\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq over tcp Host: www.qq.co.za\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -610,7 +604,7 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct break; } if (i == 81) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq Mail.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq Mail\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -619,18 +613,18 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct if (flow->qq_stage == 0 && packet->payload_packet_len == 182 && get_u_int32_t(packet->payload, 0) == htonl(0x000000b2) && get_u_int32_t(packet->payload, 4) == htonl(0x01020000) && get_u_int32_t(packet->payload, 8) == htonl(0x04015151) && get_u_int32_t(packet->payload, 12) == htonl(0x4d61696c)) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq Mail.\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq Mail\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 204 && flow->qq_stage == 0 && get_u_int32_t(packet->payload, 200) == htonl(0xfbffffff)) { for (i = 0; i < 200; i++) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "i = %u\n", i); + NDPI_LOG_DBG2(ndpi_struct, "i = %u\n", i); if (packet->payload[i] != 0) { break; } if (i == 199) { - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "found qq chat or file transfer\n"); + NDPI_LOG_INFO(ndpi_struct, "found qq chat or file transfer\n"); ndpi_int_qq_add_connection(ndpi_struct, flow); return; } @@ -641,7 +635,7 @@ void ndpi_search_qq_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct #endif /* NDPI_PROTOCOL_HTTP */ NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QQ); - NDPI_LOG(NDPI_PROTOCOL_QQ, ndpi_struct, NDPI_LOG_DEBUG, "QQ tcp excluded; len %u\n", + NDPI_LOG_DBG(ndpi_struct, "QQ tcp excluded; len %u\n", packet->payload_packet_len); #ifdef NDPI_PROTOCOL_HTTP diff --git a/src/lib/protocols/quake.c b/src/lib/protocols/quake.c index b119ec765..6f00c4296 100644 --- a/src/lib/protocols/quake.c +++ b/src/lib/protocols/quake.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_QUAKE + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_QUAKE #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_QUAKE static void ndpi_int_quake_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -36,10 +40,9 @@ static void ndpi_int_quake_add_connection(struct ndpi_detection_module_struct void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search Quake\n"); + if ((packet->payload_packet_len == 14 && get_u_int16_t(packet->payload, 0) == 0xffff && memcmp(&packet->payload[2], "getInfo", 7) == 0) || (packet->payload_packet_len == 17 @@ -47,7 +50,7 @@ void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct || (packet->payload_packet_len > 20 && packet->payload_packet_len < 30 && get_u_int16_t(packet->payload, 0) == 0xffff && memcmp(&packet->payload[2], "getServers", 10) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake IV detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Quake IV\n"); ndpi_int_quake_add_connection(ndpi_struct, flow); return; } @@ -55,20 +58,20 @@ void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct /* Quake III/Quake Live */ if (packet->payload_packet_len == 15 && get_u_int32_t(packet->payload, 0) == 0xffffffff && memcmp(&packet->payload[4], "getinfo", NDPI_STATICSTRING_LEN("getinfo")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake III Arena/Quake Live detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Quake III Arena/Quake Live\n"); ndpi_int_quake_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len == 16 && get_u_int32_t(packet->payload, 0) == 0xffffffff && memcmp(&packet->payload[4], "getchallenge", NDPI_STATICSTRING_LEN("getchallenge")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake III Arena/Quake Live detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Quake III Arena/Quake Live\n"); ndpi_int_quake_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len > 20 && packet->payload_packet_len < 30 && get_u_int32_t(packet->payload, 0) == 0xffffffff && memcmp(&packet->payload[4], "getservers", NDPI_STATICSTRING_LEN("getservers")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake III Arena/Quake Live detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Quake III Arena/Quake Live\n"); ndpi_int_quake_add_connection(ndpi_struct, flow); return; } @@ -84,8 +87,7 @@ void ndpi_search_quake(struct ndpi_detection_module_struct *ndpi_struct, struct Quake Wars ????? */ - NDPI_LOG(NDPI_PROTOCOL_QUAKE, ndpi_struct, NDPI_LOG_DEBUG, "Quake excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QUAKE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/quic.c b/src/lib/protocols/quic.c index 5a7fc70ab..24a2b8f12 100644 --- a/src/lib/protocols/quic.c +++ b/src/lib/protocols/quic.c @@ -22,10 +22,14 @@ * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_QUIC +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_QUIC + +#include "ndpi_api.h" + static int quic_ports(u_int16_t sport, u_int16_t dport) { if ((sport == 443 || dport == 443 || sport == 80 || dport == 80) && @@ -68,6 +72,8 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, u_int seq_len = quic_len((packet->payload[0] & 0x30) >> 4); u_int quic_hlen = 1 /* flags */ + version_len + seq_len + cid_len; + NDPI_LOG_DBG(ndpi_struct, "search QUIC\n"); + if(packet->udp != NULL && (udp_len > (quic_hlen+4 /* QXXX */)) && ((packet->payload[0] & 0xC2) == 0x00) @@ -78,7 +84,7 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, if((version_len > 0) && (packet->payload[1+cid_len] != 'Q')) goto no_quic; - NDPI_LOG(NDPI_PROTOCOL_QUIC, ndpi_struct, NDPI_LOG_DEBUG, "found QUIC.\n"); + NDPI_LOG_INFO(ndpi_struct, "found QUIC\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_QUIC, NDPI_PROTOCOL_UNKNOWN); if(packet->payload[quic_hlen+12] != 0xA0) @@ -126,8 +132,7 @@ void ndpi_search_quic(struct ndpi_detection_module_struct *ndpi_struct, } no_quic: - NDPI_LOG(NDPI_PROTOCOL_QUIC, ndpi_struct, NDPI_LOG_DEBUG, "exclude QUIC.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_QUIC); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } /* ***************************************************************** */ diff --git a/src/lib/protocols/radius.c b/src/lib/protocols/radius.c index 308049522..e0eb2657b 100644 --- a/src/lib/protocols/radius.c +++ b/src/lib/protocols/radius.c @@ -18,10 +18,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_RADIUS + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RADIUS #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_RADIUS struct radius_header { u_int8_t code; @@ -42,13 +46,12 @@ static void ndpi_check_radius(struct ndpi_detection_module_struct *ndpi_struct, && (h->code > 0) && (h->code <= 5) && (ntohs(h->len) == payload_len)) { - NDPI_LOG(NDPI_PROTOCOL_RADIUS, ndpi_struct, NDPI_LOG_DEBUG, "Found radius.\n"); + NDPI_LOG_INFO(ndpi_struct, "Found radius\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RADIUS, NDPI_PROTOCOL_UNKNOWN); return; } - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RADIUS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } @@ -57,7 +60,7 @@ void ndpi_search_radius(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_RADIUS, ndpi_struct, NDPI_LOG_DEBUG, "radius detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search radius\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_RADIUS) diff --git a/src/lib/protocols/rdp.c b/src/lib/protocols/rdp.c index ee3dd3ca6..9ce692893 100644 --- a/src/lib/protocols/rdp.c +++ b/src/lib/protocols/rdp.c @@ -23,9 +23,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_RDP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RDP + +#include "ndpi_api.h" + static void ndpi_int_rdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -36,8 +41,7 @@ void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct nd { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search RDP\n"); if (packet->payload_packet_len > 10 && get_u_int8_t(packet->payload, 0) > 0 @@ -45,12 +49,12 @@ void ndpi_search_rdp(struct ndpi_detection_module_struct *ndpi_struct, struct nd && get_u_int8_t(packet->payload, 4) == packet->payload_packet_len - 5 && get_u_int8_t(packet->payload, 5) == 0xe0 && get_u_int16_t(packet->payload, 6) == 0 && get_u_int16_t(packet->payload, 8) == 0 && get_u_int8_t(packet->payload, 10) == 0) { - NDPI_LOG(NDPI_PROTOCOL_RDP, ndpi_struct, NDPI_LOG_DEBUG, "RDP detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found RDP\n"); ndpi_int_rdp_add_connection(ndpi_struct, flow); return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RDP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/redis_net.c b/src/lib/protocols/redis_net.c index 4a9eeec46..4b51908fd 100644 --- a/src/lib/protocols/redis_net.c +++ b/src/lib/protocols/redis_net.c @@ -18,10 +18,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_REDIS + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_REDIS #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_REDIS static void ndpi_int_redis_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_REDIS, NDPI_PROTOCOL_UNKNOWN); @@ -36,8 +40,7 @@ static void ndpi_check_redis(struct ndpi_detection_module_struct *ndpi_struct, s /* Break after 20 packets. */ if(flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_REDIS, ndpi_struct, NDPI_LOG_DEBUG, "Exclude Redis.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_REDIS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -66,11 +69,10 @@ static void ndpi_check_redis(struct ndpi_detection_module_struct *ndpi_struct, s && ((flow->redis_d2s_first_char == '+') || (flow->redis_d2s_first_char == ':'))) || ((flow->redis_d2s_first_char == '*') && ((flow->redis_s2d_first_char == '+') || (flow->redis_s2d_first_char == ':')))) { - NDPI_LOG(NDPI_PROTOCOL_REDIS, ndpi_struct, NDPI_LOG_DEBUG, "Found Redis.\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Redis\n"); ndpi_int_redis_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_REDIS, ndpi_struct, NDPI_LOG_DEBUG, "Exclude Redis.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_REDIS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } else return; /* Too early */ @@ -79,7 +81,7 @@ static void ndpi_check_redis(struct ndpi_detection_module_struct *ndpi_struct, s void ndpi_search_redis(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_REDIS, ndpi_struct, NDPI_LOG_DEBUG, "Redis detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search Redis\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_REDIS) { diff --git a/src/lib/protocols/rsync.c b/src/lib/protocols/rsync.c index 2b85da72b..157b2e0e0 100644 --- a/src/lib/protocols/rsync.c +++ b/src/lib/protocols/rsync.c @@ -19,10 +19,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_RSYNC + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RSYNC #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_RSYNC static void ndpi_int_rsync_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -33,10 +37,10 @@ void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "search for RSYNC.\n"); + NDPI_LOG_DBG(ndpi_struct, "search RSYNC\n"); if(packet->tcp) { - NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "calculating RSYNC over tcp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating RSYNC over tcp\n"); /* * Should match: memcmp(packet->payload, "@RSYNCD: 28", 14) == 0) */ @@ -45,12 +49,11 @@ void ndpi_search_rsync(struct ndpi_detection_module_struct *ndpi_struct, struct packet->payload[3] == 0x59 && packet->payload[4] == 0x4e && packet->payload[5] == 0x43 && packet->payload[6] == 0x44 && packet->payload[7] == 0x3a ) { - NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "found rsync.\n"); + NDPI_LOG_INFO(ndpi_struct, "found rsync\n"); ndpi_int_rsync_add_connection(ndpi_struct, flow); } } else { - NDPI_LOG(NDPI_PROTOCOL_RSYNC, ndpi_struct, NDPI_LOG_DEBUG, "exclude RSYNC.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RSYNC); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/rtcp.c b/src/lib/protocols/rtcp.c index cc6265220..b924b476d 100644 --- a/src/lib/protocols/rtcp.c +++ b/src/lib/protocols/rtcp.c @@ -4,11 +4,14 @@ * Copyright (C) 2013 Remy Mudingay * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_RTCP + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTCP #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_RTCP static void ndpi_int_rtcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -20,18 +23,18 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct n struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; - NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "search for RTCP.\n"); + NDPI_LOG_DBG(ndpi_struct, "search RTCP\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over tcp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating dport over tcp\n"); if(packet->payload_packet_len > 13 && (sport == 554 || dport == 554) && packet->payload[0] == 0x00 && packet->payload[1] == 0x00 && packet->payload[2] == 0x01 && packet->payload[3] == 0x01 && packet->payload[4] == 0x08 && packet->payload[5] == 0x0a && packet->payload[6] == 0x00 && packet->payload[7] == 0x01) { - NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "found rtcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found rtcp\n"); ndpi_int_rtcp_add_connection(ndpi_struct, flow); } } else if(packet->udp != NULL) { @@ -48,20 +51,19 @@ void ndpi_search_rtcp(struct ndpi_detection_module_struct *ndpi_struct, struct n offset += rtcp_section_len; } - NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating dport over udp\n"); /* TODO changed a pair of length condition to the && from ||. Is it correct? */ if(((packet->payload_packet_len >= 28 && packet->payload_packet_len <= 1200) && ((packet->payload[0] == 0x80) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9)) && (packet->payload[2] == 0x00))) || (packet->payload_packet_len >= 3 && ((packet->payload[0] == 0x81) && ((packet->payload[1] == 0xc8) || (packet->payload[1] == 0xc9)) && (packet->payload[2] == 0x00)))) { - NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "found rtcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found rtcp\n"); ndpi_int_rtcp_add_connection(ndpi_struct, flow); } } else { exclude_rtcp: - NDPI_LOG(NDPI_PROTOCOL_RTCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude RTCP.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTCP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/rtmp.c b/src/lib/protocols/rtmp.c index b6d7db2f1..52492a290 100644 --- a/src/lib/protocols/rtmp.c +++ b/src/lib/protocols/rtmp.c @@ -23,10 +23,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_RTMP + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTMP #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_RTMP static void ndpi_int_rtmp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTMP, NDPI_PROTOCOL_UNKNOWN); @@ -39,24 +43,23 @@ static void ndpi_check_rtmp(struct ndpi_detection_module_struct *ndpi_struct, st /* Break after 20 packets. */ if (flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_RTMP, ndpi_struct, NDPI_LOG_DEBUG, "Exclude RTMP.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTMP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Check if we so far detected the protocol in the request or not. */ if (flow->rtmp_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_RTMP, ndpi_struct, NDPI_LOG_DEBUG, "RTMP stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "RTMP stage 0: \n"); if ((payload_len >= 4) && ((packet->payload[0] == 0x03) || (packet->payload[0] == 0x06))) { - NDPI_LOG(NDPI_PROTOCOL_RTMP, ndpi_struct, NDPI_LOG_DEBUG, "Possible RTMP request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible RTMP request detected, we will look further for the response\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->rtmp_stage = packet->packet_direction + 1; } } else { - NDPI_LOG(NDPI_PROTOCOL_RTMP, ndpi_struct, NDPI_LOG_DEBUG, "RTMP stage %u: \n", flow->rtmp_stage); + NDPI_LOG_DBG2(ndpi_struct, "RTMP stage %u: \n", flow->rtmp_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->rtmp_stage - packet->packet_direction) == 1) { @@ -65,10 +68,10 @@ static void ndpi_check_rtmp(struct ndpi_detection_module_struct *ndpi_struct, st /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len >= 4) && ((packet->payload[0] == 0x03) || (packet->payload[0] == 0x06) || (packet->payload[0] == 0x08) || (packet->payload[0] == 0x09) || (packet->payload[0] == 0x0a))) { - NDPI_LOG(NDPI_PROTOCOL_RTMP, ndpi_struct, NDPI_LOG_DEBUG, "Found RTMP.\n"); + NDPI_LOG_INFO(ndpi_struct, "found RTMP\n"); ndpi_int_rtmp_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_RTMP, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to RTMP, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to RTMP, resetting the stage to 0\n"); flow->rtmp_stage = 0; } @@ -79,7 +82,7 @@ void ndpi_search_rtmp(struct ndpi_detection_module_struct *ndpi_struct, struct n { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_RTMP, ndpi_struct, NDPI_LOG_DEBUG, "RTMP detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search RTMP\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_RTMP) { diff --git a/src/lib/protocols/rtp.c b/src/lib/protocols/rtp.c index 80848f5ba..3acf71b61 100644 --- a/src/lib/protocols/rtp.c +++ b/src/lib/protocols/rtp.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_RTP + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTP #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_RTP /* http://www.myskypelab.com/2014/05/microsoft-lync-wireshark-plugin.html */ @@ -73,6 +77,7 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, const u_int8_t * payload, const u_int16_t payload_len) { + NDPI_LOG_DBG(ndpi_struct, "search RTP\n"); if (payload_len < 2) return; //struct ndpi_packet_struct *packet = &flow->packet; @@ -89,24 +94,25 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, ) && (*ssid != 0) ) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found RTP.\n"); + NDPI_LOG_INFO(ndpi_struct, "Found RTP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTP, NDPI_PROTOCOL_UNKNOWN); return; } else if((payload_len >= 12) && (((payload[0] & 0xFF) == 0x80) || ((payload[0] & 0xFF) == 0xA0)) /* RTP magic byte[1] */ && (payloadType = isValidMSRTPType(payload[1] & 0xFF))) { if(payloadType == 1 /* RTP */) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found Skype for Business (former MS Lync)\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Skype for Business (former MS Lync)\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); + return; } else /* RTCP */ { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "Found MS RTCP\n"); + NDPI_LOG_INFO(ndpi_struct, "Found MS RTCP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RTCP, NDPI_PROTOCOL_UNKNOWN); + return; } } /* No luck this time */ - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -155,7 +161,7 @@ void init_seq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow u_int8_t direction, u_int16_t seq, u_int8_t include_current_packet) { flow->rtp_seqnum[direction] = seq; - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "rtp_seqnum[%u] = %u\n", direction, seq); + NDPI_LOG_DBG(ndpi_struct, "rtp_seqnum[%u] = %u\n", direction, seq); } /* returns difference between old and new highest sequence number */ @@ -173,11 +179,11 @@ u_int16_t update_seq(struct ndpi_detection_module_struct *ndpi_struct, struct nd if (delta < RTP_MAX_OUT_OF_ORDER) { /* in order, with permissible gap */ flow->rtp_seqnum[direction] = seq; - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "rtp_seqnum[%u] = %u (increased by %u)\n", + NDPI_LOG_DBG(ndpi_struct, "rtp_seqnum[%u] = %u (increased by %u)\n", direction, seq, delta); return delta; } else { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "retransmission (dir %u, seqnum %u)\n", + NDPI_LOG_DBG(ndpi_struct, "retransmission (dir %u, seqnum %u)\n", direction, seq); return 0; } @@ -192,55 +198,54 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, u_int8_t stage; u_int16_t seqnum = ntohs(get_u_int16_t(payload, 2)); - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "search rtp.\n"); + NDPI_LOG_DBG(ndpi_struct, "search rtp\n"); if (payload_len == 4 && get_u_int32_t(packet->payload, 0) == 0 && flow->packet_counter < 8) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, maybe ClearSea out calls.\n"); + NDPI_LOG_DBG(ndpi_struct, "need next packet, maybe ClearSea out calls\n"); return; } if (payload_len == 5 && memcmp(payload, "hello", 5) == 0) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG(ndpi_struct, "need next packet, initial hello packet of SIP out calls.\n"); return; } if (payload_len == 1 && payload[0] == 0) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG(ndpi_struct, "need next packet, payload_packet_len == 1 && payload[0] == 0.\n"); return; } if (payload_len == 3 && memcmp(payload, "png", 3) == 0) { /* weird packet found in Ninja GlobalIP trace */ - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "skipping packet with len = 3 and png payload.\n"); + NDPI_LOG_DBG(ndpi_struct, "skipping packet with len = 3 and png payload\n"); return; } if (payload_len < 12) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "minimal packet size for rtp packets: 12.\n"); + NDPI_LOG_DBG(ndpi_struct, "minimal packet size for rtp packets: 12\n"); goto exclude_rtp; } if (payload_len == 12 && get_u_int32_t(payload, 0) == 0 && get_u_int32_t(payload, 4) == 0 && get_u_int32_t(payload, 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "skipping packet with len = 12 and only 0-bytes.\n"); + NDPI_LOG_DBG(ndpi_struct, "skipping packet with len = 12 and only 0-bytes\n"); return; } if ((payload[0] & 0xc0) == 0xc0 || (payload[0] & 0xc0) == 0x40 || (payload[0] & 0xc0) == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "version = 3 || 1 || 0, maybe first rtp packet.\n"); + NDPI_LOG_DBG(ndpi_struct, "version = 3 || 1 || 0, maybe first rtp packet\n"); return; } if ((payload[0] & 0xc0) != 0x80) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, - NDPI_LOG_DEBUG, "rtp version must be 2, first two bits of a packets must be 10.\n"); + NDPI_LOG_DBG(ndpi_struct, "rtp version must be 2, first two bits of a packets must be 10\n"); goto exclude_rtp; } /* rtp_payload_type are the last seven bits of the second byte */ if (flow->rtp_payload_type[packet->packet_direction] != (payload[1] & 0x7F)) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "payload_type has changed, reset stages.\n"); + NDPI_LOG_DBG(ndpi_struct, "payload_type has changed, reset stages\n"); packet->packet_direction == 0 ? (flow->rtp_stage1 = 0) : (flow->rtp_stage2 = 0); } /* first bit of first byte is not part of payload_type */ @@ -249,51 +254,48 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, stage = (packet->packet_direction == 0 ? flow->rtp_stage1 : flow->rtp_stage2); if (stage > 0) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, - NDPI_LOG_DEBUG, "stage = %u.\n", packet->packet_direction == 0 ? flow->rtp_stage1 : flow->rtp_stage2); + NDPI_LOG_DBG(ndpi_struct, "stage = %u\n", packet->packet_direction == 0 ? flow->rtp_stage1 : flow->rtp_stage2); if (flow->rtp_ssid[packet->packet_direction] != get_u_int32_t(payload, 8)) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "ssid has changed, goto exclude rtp.\n"); + NDPI_LOG_DBG(ndpi_struct, "ssid has changed, goto exclude rtp\n"); goto exclude_rtp; } if (seqnum == flow->rtp_seqnum[packet->packet_direction]) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe \"retransmission\", need next packet.\n"); + NDPI_LOG_DBG(ndpi_struct, "maybe \"retransmission\", need next packet\n"); return; } else if ((u_int16_t) (seqnum - flow->rtp_seqnum[packet->packet_direction]) < RTP_MAX_OUT_OF_ORDER) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG(ndpi_struct, "new packet has larger sequence number (within valid range)\n"); update_seq(ndpi_struct, flow, packet->packet_direction, seqnum); } else if ((u_int16_t) (flow->rtp_seqnum[packet->packet_direction] - seqnum) < RTP_MAX_OUT_OF_ORDER) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG(ndpi_struct, "new packet has smaller sequence number (within valid range)\n"); init_seq(ndpi_struct, flow, packet->packet_direction, seqnum, 1); } else { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG(ndpi_struct, "sequence number diff is too big, goto exclude rtp.\n"); goto exclude_rtp; } } else { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, - NDPI_LOG_DEBUG, "rtp_ssid[%u] = %u.\n", packet->packet_direction, + NDPI_LOG_DBG(ndpi_struct, "rtp_ssid[%u] = %u\n", packet->packet_direction, flow->rtp_ssid[packet->packet_direction]); flow->rtp_ssid[packet->packet_direction] = get_u_int32_t(payload, 8); if (flow->packet_counter < 3) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "packet_counter < 3, need next packet.\n"); + NDPI_LOG_DBG(ndpi_struct, "packet_counter < 3, need next packet\n"); } init_seq(ndpi_struct, flow, packet->packet_direction, seqnum, 1); } if (seqnum <= 3) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, - NDPI_LOG_DEBUG, "sequence_number = %u, too small, need next packet, return.\n", seqnum); + NDPI_LOG_DBG(ndpi_struct, "sequence_number = %u, too small, need next packet, return\n", seqnum); return; } if (stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "add connection I.\n"); + NDPI_LOG_DBG(ndpi_struct, "add connection I\n"); ndpi_int_rtp_add_connection(ndpi_struct, flow); } else { packet->packet_direction == 0 ? flow->rtp_stage1++ : flow->rtp_stage2++; - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "stage[%u]++; need next packet.\n", + NDPI_LOG_DBG(ndpi_struct, "stage[%u]++; need next packet\n", packet->packet_direction); } return; @@ -302,12 +304,11 @@ static void ndpi_rtp_search(struct ndpi_detection_module_struct *ndpi_struct, #ifdef NDPI_PROTOCOL_STUN if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN || /* packet->real_protocol_read_only == NDPI_PROTOCOL_STUN */) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "STUN: is detected, need next packet.\n"); + NDPI_LOG_DBG(ndpi_struct, "STUN: is detected, need next packet\n"); return; } #endif /* NDPI_PROTOCOL_STUN */ - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -325,7 +326,7 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd packet->payload[0] == 0x90 && packet->payload[1] >= 0x01 && packet->payload[1] <= 0x07) { if (flow->packet_counter == 2) flow->l4.tcp.rtp_special_packets_seen = 1; - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG(ndpi_struct, "skipping STUN-like, special yahoo packets with payload[0] == 0x90.\n"); return; } @@ -366,14 +367,12 @@ void ndpi_search_rtp(struct ndpi_detection_module_struct *ndpi_struct, struct nd } if (NDPI_FLOW_PROTOCOL_EXCLUDED(ndpi_struct, flow, NDPI_PROTOCOL_STUN)) { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "STUN not yet excluded, need next packet.\n"); + NDPI_LOG_DBG(ndpi_struct, "STUN not yet excluded, need next packet\n"); } #else - NDPI_LOG(NDPI_PROTOCOL_RTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude rtp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); #endif } } diff --git a/src/lib/protocols/rtsp.c b/src/lib/protocols/rtsp.c index 0f4a71e52..e20c53065 100644 --- a/src/lib/protocols/rtsp.c +++ b/src/lib/protocols/rtsp.c @@ -22,19 +22,20 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_RTSP -#ifndef NDPI_PROTOCOL_RTP -#error RTSP requires RTP detection to work correctly -#endif -#ifndef NDPI_PROTOCOL_RTSP -#error RTSP requires RTSP detection to work correctly -#endif -#ifndef NDPI_PROTOCOL_RDP -#error RTSP requires RDP detection to work correctly -#endif + #ifndef NDPI_PROTOCOL_RTP + #error RTSP requires RTP detection to work correctly + #endif + #ifndef NDPI_PROTOCOL_RDP + #error RTSP requires RDP detection to work correctly + #endif + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RTSP + +#include "ndpi_api.h" + static void ndpi_int_rtsp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ @@ -52,7 +53,7 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_TRACE, "RTSP detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search RTSP\n"); if (flow->rtsprdt_stage == 0 #ifdef NDPI_PROTOCOL_RTCP @@ -60,13 +61,13 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct #endif ) { flow->rtsprdt_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_DEBUG, "maybe handshake 1; need next packet, return.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe handshake 1; need next packet, return\n"); return; } if (flow->packet_counter < 3 && flow->rtsprdt_stage == 1 + packet->packet_direction) { - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_DEBUG, "maybe handshake 2; need next packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe handshake 2; need next packet\n"); return; } @@ -80,20 +81,20 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct // RTSP Server Message if((memcmp(packet->payload, "RTSP/1.0 ", 9) == 0) || (strstr(buf, "rtsp://") != NULL)) { - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_TRACE, "found RTSP/1.0 .\n"); + NDPI_LOG_DBG2(ndpi_struct, "found RTSP/1.0 \n"); if (dst != NULL) { - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_TRACE, "found dst.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found dst\n"); ndpi_packet_src_ip_get(packet, &dst->rtsp_ip_address); dst->rtsp_timer = packet->tick_timestamp; dst->rtsp_ts_set = 1; } if (src != NULL) { - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_TRACE, "found src.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found src\n"); ndpi_packet_dst_ip_get(packet, &src->rtsp_ip_address); src->rtsp_timer = packet->tick_timestamp; src->rtsp_ts_set = 1; } - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_TRACE, "RTSP detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found RTSP\n"); flow->rtsp_control_flow = 1; ndpi_int_rtsp_add_connection(ndpi_struct, flow); return; @@ -105,14 +106,13 @@ void ndpi_search_rtsp_tcp_udp(struct ndpi_detection_module_struct || (NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTCP) == 0) #endif )) { - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe RTSP RTP, RTSP RTCP, RDT; need next packet.\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_RTSP, ndpi_struct, NDPI_LOG_DEBUG, "didn't find handshake, exclude.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RTSP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/rx.c b/src/lib/protocols/rx.c index b206ff5aa..c61f0a9ad 100644 --- a/src/lib/protocols/rx.c +++ b/src/lib/protocols/rx.c @@ -22,11 +22,15 @@ * along with nDPI. If not, see . * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_api.h" #ifdef NDPI_PROTOCOL_RX +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_RX + +#include "ndpi_api.h" + /* See http://web.mit.edu/kolya/afs/rx/rx-spec for protocol description. */ /* The should be no need for explicit packing, but just in case... */ @@ -79,13 +83,12 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_packet_struct *packet = &flow->packet; u_int32_t payload_len = packet->payload_packet_len; - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "RX: pck: %d, dir[0]: %d, dir[1]: %d\n", + NDPI_LOG_DBG2(ndpi_struct, "RX: pck: %d, dir[0]: %d, dir[1]: %d\n", flow->packet_counter, flow->packet_direction_counter[0], flow->packet_direction_counter[1]); /* Check that packet is long enough */ if (payload_len < sizeof(struct ndpi_rx_header)) { - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -108,8 +111,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, /* TYPE field */ if((header->type < DATA) || (header->type > VERSION)) { - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -157,13 +159,11 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, case VERSION: goto security; default: - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // switch } else { // FLAG - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -171,8 +171,7 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, /* SECURITY field */ if(header->security > 3) { - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -184,21 +183,20 @@ void ndpi_check_rx(struct ndpi_detection_module_struct *ndpi_struct, if (flow->l4.udp.rx_conn_epoch == header->conn_epoch && flow->l4.udp.rx_conn_id == header->conn_id) { - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "found RX\n"); + NDPI_LOG_INFO(ndpi_struct, "found RX\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RX, NDPI_PROTOCOL_UNKNOWN); } /* https://www.central.org/frameless/numbers/rxservice.html. */ else { - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "excluding RX\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_RX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } } else { flow->l4.udp.rx_conn_epoch = header->conn_epoch; flow->l4.udp.rx_conn_id = header->conn_id; { - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "found RX\n"); + NDPI_LOG_INFO(ndpi_struct, "found RX\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_RX, NDPI_PROTOCOL_UNKNOWN); } } @@ -209,7 +207,7 @@ void ndpi_search_rx(struct ndpi_detection_module_struct *ndpi_struct, { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_RX, ndpi_struct, NDPI_LOG_DEBUG, "entering RX search\n"); + NDPI_LOG_DBG(ndpi_struct, "search RX\n"); if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_RX) { ndpi_check_rx(ndpi_struct, flow); } diff --git a/src/lib/protocols/sflow.c b/src/lib/protocols/sflow.c index 45ccb650a..75b631abc 100644 --- a/src/lib/protocols/sflow.c +++ b/src/lib/protocols/sflow.c @@ -18,35 +18,35 @@ * */ - -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_SFLOW -static void ndpi_check_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SFLOW + +#include "ndpi_api.h" + +void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; // const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; + NDPI_LOG_DBG(ndpi_struct, "search sflow\n"); + if((packet->udp != NULL) && (payload_len >= 24) /* Version */ && (packet->payload[0] == 0) && (packet->payload[1] == 0) && (packet->payload[2] == 0) && ((packet->payload[3] == 2) || (packet->payload[3] == 5))) { - NDPI_LOG(NDPI_PROTOCOL_SFLOW, ndpi_struct, NDPI_LOG_DEBUG, "Found sflow.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sflow\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SFLOW, NDPI_PROTOCOL_UNKNOWN); return; } -} -void ndpi_search_sflow(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) -{ - NDPI_LOG(NDPI_PROTOCOL_SFLOW, ndpi_struct, NDPI_LOG_DEBUG, "sflow detection...\n"); - ndpi_check_sflow(ndpi_struct, flow); +// FIXME NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } - void init_sflow_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { ndpi_set_bitmask_protocol_detection("sFlow", ndpi_struct, detection_bitmask, *id, diff --git a/src/lib/protocols/shoutcast.c b/src/lib/protocols/shoutcast.c index 9ef6c37e8..2115c574f 100644 --- a/src/lib/protocols/shoutcast.c +++ b/src/lib/protocols/shoutcast.c @@ -22,11 +22,14 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_SHOUTCAST +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SHOUTCAST + +#include "ndpi_api.h" + static void ndpi_int_shoutcast_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -39,13 +42,13 @@ void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "search shoutcast.\n"); + NDPI_LOG_DBG(ndpi_struct, "search shoutcast\n"); if (flow->packet_counter == 1) { /* this case in paul_upload_oddcast_002.pcap */ if (packet->payload_packet_len >= 6 && packet->payload_packet_len < 80 && memcmp(packet->payload, "123456", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "Shoutcast stage 1, \"123456\".\n"); + NDPI_LOG_DBG2(ndpi_struct, "Shoutcast stage 1, \"123456\"\n"); return; } if (flow->packet_counter < 3 @@ -53,11 +56,11 @@ void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct && packet->detected_protocol_stack[0] == NDPI_PROTOCOL_HTTP #endif ) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "http detected, need next packet for shoutcast detection.\n"); if (packet->payload_packet_len > 4 && get_u_int32_t(packet->payload, packet->payload_packet_len - 4) != htonl(0x0d0a0d0a)) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "segmented packet found.\n"); + NDPI_LOG_DBG2(ndpi_struct, "segmented packet found\n"); flow->l4.tcp.shoutcast_stage = 1 + packet->packet_direction; } return; @@ -70,7 +73,7 @@ void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct } /* evtl. für asym detection noch User-Agent:Winamp dazunehmen. */ if (packet->payload_packet_len > 11 && memcmp(packet->payload, "ICY 200 OK\x0d\x0a", 12) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "found shoutcast by ICY 200 OK.\n"); + NDPI_LOG_INFO(ndpi_struct, "found shoutcast by ICY 200 OK\n"); ndpi_int_shoutcast_add_connection(ndpi_struct, flow); return; } @@ -81,19 +84,19 @@ void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct if (flow->packet_counter == 2) { if (packet->payload_packet_len == 2 && memcmp(packet->payload, "\x0d\x0a", 2) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "Shoutcast stage 1 continuation.\n"); + NDPI_LOG_DBG2(ndpi_struct, "Shoutcast stage 1 continuation\n"); return; } else if (packet->payload_packet_len > 3 && memcmp(&packet->payload[0], "OK2", 3) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "Shoutcast stage 2, OK2 found.\n"); + NDPI_LOG_DBG2(ndpi_struct, "Shoutcast stage 2, OK2 found\n"); return; } else goto exclude_shoutcast; } else if (flow->packet_counter == 3 || flow->packet_counter == 4) { if (packet->payload_packet_len > 3 && memcmp(&packet->payload[0], "OK2", 3) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "Shoutcast stage 2, OK2 found.\n"); + NDPI_LOG_DBG2(ndpi_struct, "Shoutcast stage 2, OK2 found\n"); return; } else if (packet->payload_packet_len > 4 && memcmp(&packet->payload[0], "icy-", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "Shoutcast detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found Shoutcast\n"); ndpi_int_shoutcast_add_connection(ndpi_struct, flow); return; } else @@ -101,8 +104,7 @@ void ndpi_search_shoutcast_tcp(struct ndpi_detection_module_struct } exclude_shoutcast: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SHOUTCAST); - NDPI_LOG(NDPI_PROTOCOL_SHOUTCAST, ndpi_struct, NDPI_LOG_DEBUG, "Shoutcast excluded.\n"); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/sip.c b/src/lib/protocols/sip.c index 94386d61e..44d2a12fe 100644 --- a/src/lib/protocols/sip.c +++ b/src/lib/protocols/sip.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_SIP + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SIP #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_SIP static void ndpi_int_sip_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t due_to_correlation) { @@ -41,18 +45,14 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; const u_int8_t *packet_payload = packet->payload; u_int32_t payload_len = packet->payload_packet_len; - if (payload_len > 4) { /* search for STUN Turn ChannelData Prefix */ u_int16_t message_len = ntohs(get_u_int16_t(packet->payload, 2)); if (payload_len - 4 == message_len) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found STUN TURN ChannelData prefix.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found STUN TURN ChannelData prefix\n"); payload_len -= 4; packet_payload += 4; } @@ -68,7 +68,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct if ((memcmp(packet_payload, "NOTIFY ", 7) == 0 || memcmp(packet_payload, "notify ", 7) == 0) && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip NOTIFY.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip NOTIFY\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } @@ -76,14 +76,14 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct if ((memcmp(packet_payload, "REGISTER ", 9) == 0 || memcmp(packet_payload, "register ", 9) == 0) && (memcmp(&packet_payload[9], "SIP:", 4) == 0 || memcmp(&packet_payload[9], "sip:", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip REGISTER.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip REGISTER\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } if ((memcmp(packet_payload, "INVITE ", 7) == 0 || memcmp(packet_payload, "invite ", 7) == 0) && (memcmp(&packet_payload[7], "SIP:", 4) == 0 || memcmp(&packet_payload[7], "sip:", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip INVITE.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip INVITE\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } @@ -95,34 +95,34 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct /* if (memcmp(packet_payload, "SIP/2.0 200 OK", 14) == 0 || memcmp(packet_payload, "sip/2.0 200 OK", 14) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip SIP/2.0 0K.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 0K\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } */ if (memcmp(packet_payload, "SIP/2.0 ", 8) == 0 || memcmp(packet_payload, "sip/2.0 ", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip SIP/2.0 *.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip SIP/2.0 *\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } if ((memcmp(packet_payload, "BYE ", 4) == 0 || memcmp(packet_payload, "bye ", 4) == 0) && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip BYE.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip BYE\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } if ((memcmp(packet_payload, "ACK ", 4) == 0 || memcmp(packet_payload, "ack ", 4) == 0) && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip ACK.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip ACK\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } if ((memcmp(packet_payload, "CANCEL ", 7) == 0 || memcmp(packet_payload, "cancel ", 7) == 0) && (memcmp(&packet_payload[4], "SIP:", 4) == 0 || memcmp(&packet_payload[4], "sip:", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip CANCEL.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip CANCEL\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } @@ -132,7 +132,7 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct || memcmp(packet_payload, "options ", 8) == 0) && (memcmp(&packet_payload[8], "SIP:", 4) == 0 || memcmp(&packet_payload[8], "sip:", 4) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "found sip OPTIONS.\n"); + NDPI_LOG_INFO(ndpi_struct, "found sip OPTIONS\n"); ndpi_int_sip_add_connection(ndpi_struct, flow, 0); return; } @@ -141,19 +141,19 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct /* add bitmask for tcp only, some stupid udp programs * send a very few (< 10 ) packets before invite (mostly a 0x0a0x0d, but just search the first 3 payload_packets here */ if (packet->udp != NULL && flow->packet_counter < 20) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "need next packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); return; } #ifdef NDPI_PROTOCOL_STUN /* for STUN flows we need some more packets */ if (packet->udp != NULL && flow->detected_protocol_stack[0] == NDPI_PROTOCOL_STUN && flow->packet_counter < 40) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "need next STUN packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next STUN packet\n"); return; } #endif if (payload_len == 4 && get_u_int32_t(packet_payload, 0) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "maybe sip. need next packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe sip. need next packet\n"); return; } #ifdef NDPI_PROTOCOL_YAHOO @@ -161,27 +161,21 @@ void ndpi_search_sip_handshake(struct ndpi_detection_module_struct && packet_payload[3] == payload_len - 20 && get_u_int32_t(packet_payload, 4) == 0 && get_u_int32_t(packet_payload, 8) == 0) { flow->sip_yahoo_voice = 1; - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "maybe sip yahoo. need next packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe sip yahoo. need next packet\n"); } if (flow->sip_yahoo_voice && flow->packet_counter < 10) { return; } #endif - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "exclude sip.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SIP); - return; - + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_sip(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_flow_struct *flow = ndpi_struct->flow; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_SIP, ndpi_struct, NDPI_LOG_DEBUG, "sip detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search sip\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SIP) { diff --git a/src/lib/protocols/skinny.c b/src/lib/protocols/skinny.c index a31d8cc86..0acebf271 100644 --- a/src/lib/protocols/skinny.c +++ b/src/lib/protocols/skinny.c @@ -17,12 +17,15 @@ * If not, see . * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_SKINNY + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SKINNY #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_SKINNY static void ndpi_int_skinny_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -38,26 +41,25 @@ void ndpi_search_skinny(struct ndpi_detection_module_struct *ndpi_struct, struct const char keypadmsg_8_bytes[8] = { 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; const char selectmsg_8_bytes[8] = { 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "search for SKINNY.\n"); + NDPI_LOG_DBG(ndpi_struct, "search for SKINNY\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "calculating SKINNY over tcp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating SKINNY over tcp\n"); if (dport == 2000 && ((packet->payload_packet_len == 24 && memcmp(&packet->payload[0], keypadmsg_8_bytes, 8) == 0) || ((packet->payload_packet_len == 64) && memcmp(&packet->payload[0], pattern_8_bytes, 8) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "found skinny.\n"); + NDPI_LOG_INFO(ndpi_struct, "found skinny\n"); ndpi_int_skinny_add_connection(ndpi_struct, flow); } else if (sport == 2000 && ((packet->payload_packet_len == 28 && memcmp(&packet->payload[0], selectmsg_8_bytes, 8) == 0 ) || (packet->payload_packet_len == 44 && memcmp(&packet->payload[0], pattern_9_bytes, 9) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "found skinny.\n"); + NDPI_LOG_INFO(ndpi_struct, "found skinny\n"); ndpi_int_skinny_add_connection(ndpi_struct, flow); } } else { - NDPI_LOG(NDPI_PROTOCOL_SKINNY, ndpi_struct, NDPI_LOG_DEBUG, "exclude SKINNY.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKINNY); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/skype.c b/src/lib/protocols/skype.c index 19de3c437..ea571961f 100644 --- a/src/lib/protocols/skype.c +++ b/src/lib/protocols/skype.c @@ -17,10 +17,15 @@ * along with nDPI. If not, see . * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_SKYPE +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SKYPE + +#include "ndpi_api.h" + + static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -44,13 +49,13 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s ((payload_len >= 16) && (packet->payload[0] != 0x30) /* Avoid invalid SNMP detection */ && (packet->payload[2] == 0x02))) { - NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n"); + NDPI_LOG_INFO(ndpi_struct, "found skype\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); } } return; } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKYPE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; // TCP check @@ -69,15 +74,16 @@ static void ndpi_check_skype(struct ndpi_detection_module_struct *ndpi_struct, s // printf("[SKYPE] payload_len=%u\n", payload_len); /* printf("[SKYPE] %u/%u\n", ntohs(packet->tcp->source), ntohs(packet->tcp->dest)); */ - NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found skype.\n"); + NDPI_LOG_INFO(ndpi_struct, "found skype\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SKYPE, NDPI_PROTOCOL_UNKNOWN); } else { // printf("NO [SKYPE] payload_len=%u\n", payload_len); } /* printf("[SKYPE] [id: %u][len: %d]\n", flow->l4.tcp.skype_packet_id, payload_len); */ - } else - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SKYPE); + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } return; } @@ -87,7 +93,7 @@ void ndpi_search_skype(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "skype detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search skype\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SKYPE) diff --git a/src/lib/protocols/smb.c b/src/lib/protocols/smb.c index 051aee635..6ac7e282a 100644 --- a/src/lib/protocols/smb.c +++ b/src/lib/protocols/smb.c @@ -20,33 +20,37 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_SMB +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SMB + +#include "ndpi_api.h" + void ndpi_search_smb_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search SMB\n"); + /* Check connection over TCP */ if(packet->tcp) { - NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "search SMB.\n"); if(packet->tcp->dest == htons(445) && packet->payload_packet_len > (32 + 4 + 4) && (packet->payload_packet_len - 4) == ntohl(get_u_int32_t(packet->payload, 0)) && get_u_int32_t(packet->payload, 4) == htonl(0xff534d42)) { - NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "found SMB.\n"); + NDPI_LOG_INFO(ndpi_struct, "found SMB\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SMB, NDPI_PROTOCOL_UNKNOWN); return; } } - NDPI_LOG(NDPI_PROTOCOL_SMB, ndpi_struct, NDPI_LOG_DEBUG, "exclude SMB.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMB); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/smpp.c b/src/lib/protocols/smpp.c index 3185cbf44..1bd2a870b 100644 --- a/src/lib/protocols/smpp.c +++ b/src/lib/protocols/smpp.c @@ -20,10 +20,14 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_SMPP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SMPP + +#include "ndpi_api.h" + static void ndpi_int_smpp_add_connection(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) @@ -39,28 +43,24 @@ static u_int8_t ndpi_check_overflow(u_int32_t current_length, u_int32_t total_l void ndpi_search_smpp_tcp(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) { - NDPI_LOG(NDPI_PROTOCOL_SMPP, ndpi_struct, NDPI_LOG_DEBUG, "SMPP protocol detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search SMPP\n"); if (flow->packet.detected_protocol_stack[0] != NDPI_PROTOCOL_SMPP){ struct ndpi_packet_struct* packet = &flow->packet; // min SMPP packet length = 16 bytes if (packet->payload_packet_len < 16) { - NDPI_LOG(NDPI_PROTOCOL_SMPP, ndpi_struct, NDPI_LOG_DEBUG, "SMPP excluded\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMPP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // get PDU length u_int32_t pdu_l = ntohl(get_u_int32_t(packet->payload, 0)); - NDPI_LOG(NDPI_PROTOCOL_SMPP, - ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "calculated PDU Length: %d, received PDU Length: %d\n", pdu_l, packet->payload_packet_len); // if PDU size was invalid, try the following TCP segments, 3 attempts max if(flow->packet_counter > 3) { - NDPI_LOG(NDPI_PROTOCOL_SMPP, ndpi_struct, NDPI_LOG_DEBUG, "SMPP excluded\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMPP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // verify PDU length @@ -81,9 +81,7 @@ void ndpi_search_smpp_tcp(struct ndpi_detection_module_struct* ndpi_struct, ++pdu_c; } - NDPI_LOG(NDPI_PROTOCOL_SMPP, - ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "multiple PDUs included, calculated total PDU Length: %d, PDU count: %d, TCP payload length: %d\n", total_pdu_l, pdu_c, packet->payload_packet_len); @@ -98,8 +96,7 @@ void ndpi_search_smpp_tcp(struct ndpi_detection_module_struct* ndpi_struct, u_int32_t pdu_type = ntohl(get_u_int32_t(packet->payload, 4)); // first byte of PDU type is either 0x00 of 0x80 if(!(packet->payload[4] == 0x00 || packet->payload[4] == 0x80)) { - NDPI_LOG(NDPI_PROTOCOL_SMPP, ndpi_struct, NDPI_LOG_DEBUG, "SMPP excluded\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMPP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } // remove 0x80, get request type pdu @@ -110,9 +107,7 @@ void ndpi_search_smpp_tcp(struct ndpi_detection_module_struct* ndpi_struct, pdu_req == 0x00000021 || pdu_req == 0x00000102 || pdu_req == 0x00000103)){ - NDPI_LOG(NDPI_PROTOCOL_SMPP, - ndpi_struct, - NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "PDU type: %x, Request PDU type = %x\n", pdu_type, pdu_req); @@ -300,15 +295,13 @@ void ndpi_search_smpp_tcp(struct ndpi_detection_module_struct* ndpi_struct, // if extra checks passed, set as identified if(extra_passed) { - NDPI_LOG(NDPI_PROTOCOL_SMPP, ndpi_struct, NDPI_LOG_DEBUG, "SMPP identified...\n"); + NDPI_LOG_INFO(ndpi_struct, "found SMPP\n"); ndpi_int_smpp_add_connection(ndpi_struct, flow); return; } } - // exclude - NDPI_LOG(NDPI_PROTOCOL_SMPP, ndpi_struct, NDPI_LOG_DEBUG, "SMPP excluded\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SMPP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/snmp.c b/src/lib/protocols/snmp.c index 71de7589b..6a2f2624f 100644 --- a/src/lib/protocols/snmp.c +++ b/src/lib/protocols/snmp.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SNMP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SNMP + +#include "ndpi_api.h" + static void ndpi_int_snmp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -35,10 +39,9 @@ static void ndpi_int_snmp_add_connection(struct ndpi_detection_module_struct void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; + NDPI_LOG_DBG(ndpi_struct, "search SNMP\n"); + if (packet->payload_packet_len > 32 && packet->payload[0] == 0x30) { int offset; u_int16_t u16; @@ -52,7 +55,7 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct n break; default: if (packet->payload[1] > 0x82) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, second byte is > 0x82\n"); + NDPI_LOG_DBG2(ndpi_struct, "SNMP excluded, second byte is > 0x82\n"); goto excl; } offset = 2; @@ -61,22 +64,22 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct n u16 = ntohs(get_u_int16_t(packet->payload, offset)); if((u16 != 0x0201) && (u16 != 0x0204)) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, 0x0201/0x0204 pattern not found\n"); + NDPI_LOG_DBG2(ndpi_struct, "SNMP excluded, 0x0201/0x0204 pattern not found\n"); goto excl; } if (packet->payload[offset + 2] >= 0x04) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded, version > 3\n"); + NDPI_LOG_DBG2(ndpi_struct, "SNMP excluded, version > 3\n"); goto excl; } if (flow->l4.udp.snmp_stage == 0) { if (packet->udp->dest == htons(161) || packet->udp->dest == htons(162)) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP detected due to port.\n"); + NDPI_LOG_INFO(ndpi_struct, "found SNMP by port\n"); ndpi_int_snmp_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP stage 0.\n"); + NDPI_LOG_DBG2(ndpi_struct, "SNMP stage 0\n"); if (packet->payload[offset + 2] == 3) { flow->l4.udp.snmp_msg_id = ntohs(get_u_int32_t(packet->payload, offset + 8)); } else if (packet->payload[offset + 2] == 0) { @@ -89,41 +92,39 @@ void ndpi_search_snmp(struct ndpi_detection_module_struct *ndpi_struct, struct n } else if (flow->l4.udp.snmp_stage == 1 + packet->packet_direction) { if (packet->payload[offset + 2] == 0) { if (flow->l4.udp.snmp_msg_id != get_u_int8_t(packet->payload, offset + 15) - 1) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "SNMP v1 excluded, message ID doesn't match\n"); goto excl; } } } else if (flow->l4.udp.snmp_stage == 2 - packet->packet_direction) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP stage 1-2.\n"); + NDPI_LOG_DBG2(ndpi_struct, "SNMP stage 1-2\n"); if (packet->payload[offset + 2] == 3) { if (flow->l4.udp.snmp_msg_id != ntohs(get_u_int32_t(packet->payload, offset + 8))) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "SNMP v3 excluded, message ID doesn't match\n"); goto excl; } } else if (packet->payload[offset + 2] == 0) { if (flow->l4.udp.snmp_msg_id != get_u_int8_t(packet->payload, offset + 15)) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "SNMP v1 excluded, message ID doesn't match\n"); goto excl; } } else { if (flow->l4.udp.snmp_msg_id != ntohs(get_u_int16_t(packet->payload, offset + 15))) { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "SNMP v2 excluded, message ID doesn't match\n"); goto excl; } } - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found SNMP\n"); ndpi_int_snmp_add_connection(ndpi_struct, flow); return; } - } else { - NDPI_LOG(NDPI_PROTOCOL_SNMP, ndpi_struct, NDPI_LOG_DEBUG, "SNMP excluded.\n"); } excl: - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SNMP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/socks45.c b/src/lib/protocols/socks45.c index 67cfab8b4..32c83934a 100644 --- a/src/lib/protocols/socks45.c +++ b/src/lib/protocols/socks45.c @@ -23,11 +23,14 @@ * along with nDPI. If not, see . * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_SOCKS + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOCKS #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_SOCKS static void ndpi_int_socks_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOCKS, NDPI_PROTOCOL_UNKNOWN); @@ -40,25 +43,24 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, /* Break after 20 packets. */ if(flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "Exclude SOCKS4.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOCKS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Check if we so far detected the protocol in the request or not. */ if(flow->socks4_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "SOCKS4 stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage 0: \n"); if(payload_len >= 9 && packet->payload[0] == 0x04 && (packet->payload[1] == 0x01 || packet->payload[1] == 0x02) && packet->payload[payload_len - 1] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "Possible SOCKS4 request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible SOCKS4 request detected, we will look further for the response\n"); /* TODO: check port and ip address is valid */ /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->socks4_stage = packet->packet_direction + 1; } } else { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "SOCKS4 stage %u: \n", flow->socks4_stage); + NDPI_LOG_DBG2(ndpi_struct, "SOCKS4 stage %u: \n", flow->socks4_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if((flow->socks4_stage - packet->packet_direction) == 1) { @@ -66,10 +68,10 @@ static void ndpi_check_socks4(struct ndpi_detection_module_struct *ndpi_struct, } /* This is a packet in another direction. Check if we find the proper response. */ if(payload_len == 8 && packet->payload[0] == 0x00 && packet->payload[1] >= 0x5a && packet->payload[1] <= 0x5d) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "Found SOCKS4.\n"); + NDPI_LOG_INFO(ndpi_struct, "found SOCKS4\n"); ndpi_int_socks_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to SOCKS4, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to SOCKS4, resetting the stage to 0\n"); flow->socks4_stage = 0; } } @@ -82,24 +84,23 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, /* Break after 20 packets. */ if(flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "Exclude SOCKS5.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOCKS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } /* Check if we so far detected the protocol in the request or not. */ if(flow->socks5_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "SOCKS5 stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage 0: \n"); if((payload_len == 3) && (packet->payload[0] == 0x05) && (packet->payload[1] == 0x01) && (packet->payload[2] == 0x00)) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "Possible SOCKS5 request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible SOCKS5 request detected, we will look further for the response\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->socks5_stage = packet->packet_direction + 1; } } else { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "SOCKS5 stage %u: \n", flow->socks5_stage); + NDPI_LOG_DBG2(ndpi_struct, "SOCKS5 stage %u: \n", flow->socks5_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if((flow->socks5_stage - packet->packet_direction) == 1) { @@ -108,10 +109,10 @@ static void ndpi_check_socks5(struct ndpi_detection_module_struct *ndpi_struct, /* This is a packet in another direction. Check if we find the proper response. */ if((payload_len == 0) || ((payload_len == 2) && (packet->payload[0] == 0x05) && (packet->payload[1] == 0x00))) { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "Found SOCKS5.\n"); + NDPI_LOG_INFO(ndpi_struct, "found SOCKS5\n"); ndpi_int_socks_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to SOCKS5, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to SOCKS5, resetting the stage to 0\n"); flow->socks5_stage = 0; } @@ -122,7 +123,7 @@ void ndpi_search_socks(struct ndpi_detection_module_struct *ndpi_struct, struct { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_SOCKS, ndpi_struct, NDPI_LOG_DEBUG, "SOCKS detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search SOCKS\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SOCKS) { diff --git a/src/lib/protocols/socrates.c b/src/lib/protocols/socrates.c index 58a9b01ba..2dfad068d 100644 --- a/src/lib/protocols/socrates.c +++ b/src/lib/protocols/socrates.c @@ -23,9 +23,13 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_SOCRATES +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOCRATES + +#include "ndpi_api.h" static void ndpi_socrates_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -38,20 +42,16 @@ void ndpi_search_socrates(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - + NDPI_LOG_DBG(ndpi_struct, "search socrates\n"); - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "search socrates.\n"); if (packet->udp != NULL) { if (packet->payload_packet_len > 9 && packet->payload[0] == 0xfe && packet->payload[packet->payload_packet_len - 1] == 0x05) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found fe.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found fe\n"); - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "len match.\n"); + NDPI_LOG_DBG2(ndpi_struct, "len match\n"); if (memcmp(&packet->payload[2], "socrates", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found socrates udp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found socrates udp\n"); ndpi_socrates_add_connection(ndpi_struct, flow); } @@ -59,19 +59,18 @@ void ndpi_search_socrates(struct ndpi_detection_module_struct } else if (packet->tcp != NULL) { if (packet->payload_packet_len > 13 && packet->payload[0] == 0xfe && packet->payload[packet->payload_packet_len - 1] == 0x05) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found fe.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found fe\n"); if (packet->payload_packet_len == ntohl(get_u_int32_t(packet->payload, 2))) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "len match.\n"); + NDPI_LOG_DBG2(ndpi_struct, "len match\n"); if (memcmp(&packet->payload[6], "socrates", 8) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "found socrates tcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found socrates tcp\n"); ndpi_socrates_add_connection(ndpi_struct, flow); } } } } - NDPI_LOG(NDPI_PROTOCOL_SOCRATES, ndpi_struct, NDPI_LOG_DEBUG, "exclude socrates.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOCRATES); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/someip.c b/src/lib/protocols/someip.c index 93dfa50ae..604022714 100644 --- a/src/lib/protocols/someip.c +++ b/src/lib/protocols/someip.c @@ -21,9 +21,14 @@ * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_SOMEIP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOMEIP + +#include "ndpi_api.h" + enum SOMEIP_MESSAGE_TYPES { SOMEIP_REQUEST = 0x00, SOMEIP_REQUEST_NO_RETURN = 0x01, @@ -81,7 +86,7 @@ static void ndpi_int_someip_add_connection (struct ndpi_detection_module_struct struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct,flow,NDPI_PROTOCOL_SOMEIP,NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found SOME/IP\n"); } /** @@ -101,7 +106,8 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //####Maybe check carrier protocols?#### - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP search called...\n"); + NDPI_LOG_DBG(ndpi_struct, "search SOME/IP\n"); + if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_UNKNOWN) { return; } @@ -110,23 +116,28 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int32_t message_id = ntohl(*((u_int32_t *)&packet->payload[0])); u_int32_t request_id = ntohl(*((u_int32_t *)&packet->payload[8])); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "====>>>> SOME/IP Message ID: %08x [len: %u]\n", + NDPI_LOG_DBG2(ndpi_struct, "====>>>> SOME/IP Message ID: %08x [len: %u]\n", message_id, packet->payload_packet_len); - + if (packet->payload_packet_len < 16) { + NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. mandatory header not found\n"); + NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); + return; + } + //####Maximum packet size in SOMEIP depends on the carrier protocol, and I'm not certain how well enforced it is, so let's leave that for round 2#### // we extract the remaining length u_int32_t someip_len = ntohl(*((u_int32_t *)&packet->payload[4])); if (packet->payload_packet_len != (someip_len + 8)) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. Length field invalid!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. Length field invalid!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } u_int8_t protocol_version = (u_int8_t) (packet->payload[12]); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP protocol version: [%d]\n",protocol_version); if (protocol_version != LEGAL_PROTOCOL_VERSION){ - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid protocol version!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. invalid protocol version!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } @@ -134,20 +145,20 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, u_int8_t interface_version = (packet->payload[13]); u_int8_t message_type = (u_int8_t) (packet->payload[14]); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP message type: [%d]\n",message_type); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP message type: [%d]\n",message_type); if ((message_type != SOMEIP_REQUEST) && (message_type != SOMEIP_REQUEST_NO_RETURN) && (message_type != SOMEIP_NOTIFICATION) && (message_type != SOMEIP_REQUEST_ACK) && (message_type != SOMEIP_REQUEST_NO_RETURN_ACK) && (message_type != SOMEIP_NOTIFICATION_ACK) && (message_type != SOMEIP_RESPONSE) && (message_type != SOMEIP_ERROR) && (message_type != SOMEIP_RESPONSE_ACK) && (message_type != SOMEIP_ERROR_ACK)) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid message type!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. invalid message type!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } u_int8_t return_code = (u_int8_t) (packet->payload[15]); - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG,"====>>>> SOME/IP return code: [%d]\n", return_code); + NDPI_LOG_DBG2(ndpi_struct,"====>>>> SOME/IP return code: [%d]\n", return_code); if ((return_code >= E_RETURN_CODE_LEGAL_THRESHOLD)) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP .. invalid return code!\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP .. invalid return code!\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } @@ -155,12 +166,12 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, if (message_id == MSG_MAGIC_COOKIE){ if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && (message_type == SOMEIP_REQUEST_NO_RETURN) && (return_code == E_OK)){ - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie\n",message_type); + NDPI_LOG_DBG2(ndpi_struct, "found SOME/IP Magic Cookie 0x%x\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; } else{ - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP, invalid header for Magic Cookie\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP, invalid header for Magic Cookie\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } @@ -169,19 +180,19 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, if (message_id == MSG_MAGIC_COOKIE_ACK){ if ((someip_len == MC_LENGTH) && (request_id == MC_REQUEST_ID) && (interface_version == MC_INTERFACE_VERSION) && (message_type == SOMEIP_REQUEST_NO_RETURN) && (return_code == E_OK)){ - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found Magic Cookie ACK\n",message_type); + NDPI_LOG_DBG2(ndpi_struct, "found SOME/IP Magic Cookie ACK 0x%x\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; } else{ - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Excluding SOME/IP, invalid header for Magic Cookie ACK\n"); + NDPI_LOG_DBG(ndpi_struct, "Excluding SOME/IP, invalid header for Magic Cookie ACK\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); return; } } if (message_id == MSG_SD){ - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP-SD currently not supported\n", message_type); + NDPI_LOG_DBG2(ndpi_struct, "SOME/IP-SD currently not supported\n", message_type); } //Filtering by port. @@ -189,22 +200,18 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, //This is is PURELY for demo purposes and the rest of the check must be filled in later on! if (packet->l4_protocol == IPPROTO_UDP){ if ((packet->udp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SERVER)) || (packet->udp->dest == ntohs(PORT_DEFAULT_SD))) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; } } if (packet->l4_protocol == IPPROTO_TCP){ if ((packet->tcp->dest == ntohs(PORT_DEFAULT_CLIENT)) || (packet->tcp->dest == ntohs(PORT_DEFAULT_SERVER))) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP found\n",message_type); ndpi_int_someip_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "Reached the end without confirming SOME/IP ...\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOMEIP); - return; + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } /** * Entry point for the ndpi library @@ -212,7 +219,6 @@ void ndpi_search_someip (struct ndpi_detection_module_struct *ndpi_struct, void init_someip_dissector (struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) { - NDPI_LOG(NDPI_PROTOCOL_SOMEIP, ndpi_struct, NDPI_LOG_DEBUG, "SOME/IP dissector init...\n"); ndpi_set_bitmask_protocol_detection ("SOME/IP", ndpi_struct, detection_bitmask, *id, NDPI_PROTOCOL_SOMEIP, ndpi_search_someip, diff --git a/src/lib/protocols/sopcast.c b/src/lib/protocols/sopcast.c index 63590fec7..db507ecc7 100644 --- a/src/lib/protocols/sopcast.c +++ b/src/lib/protocols/sopcast.c @@ -22,11 +22,14 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_SOPCAST +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOPCAST + +#include "ndpi_api.h" + static void ndpi_int_sopcast_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -102,15 +105,13 @@ static void ndpi_search_sopcast_tcp(struct ndpi_detection_module_struct if (flow->packet_counter == 1 && packet->payload_packet_len == 54 && get_u_int16_t(packet->payload, 0) == ntohs(0x0036)) { if (ndpi_int_is_sopcast_tcp(packet->payload, packet->payload_packet_len)) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast TCP \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast TCP \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "exclude sopcast TCP. \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOPCAST); - + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } @@ -119,19 +120,14 @@ static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "search sopcast. \n"); - + NDPI_LOG_DBG(ndpi_struct, "search sopcast. \n"); if (packet->payload_packet_len == 52 && packet->payload[0] == 0xff && packet->payload[1] == 0xff && packet->payload[2] == 0x01 && packet->payload[8] == 0x02 && packet->payload[9] == 0xff && packet->payload[10] == 0x00 && packet->payload[11] == 0x2c && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if I. \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast with if I. \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } @@ -140,7 +136,7 @@ static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct && packet->payload[8] == 0x01 && packet->payload[9] == 0xff && packet->payload[10] == 0x00 && packet->payload[11] == 0x14 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if II. \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast with if II. \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } @@ -150,7 +146,7 @@ static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct && packet->payload[8] == 0x03 && packet->payload[9] == 0xff && packet->payload[10] == 0x00 && packet->payload[11] == 0x34 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if III. \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast with if III. \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } @@ -160,7 +156,7 @@ static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct && packet->payload[8] == 0x06 && packet->payload[9] == 0x01 && packet->payload[10] == 0x00 && packet->payload[11] == 0x22 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if IV. \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast with if IV. \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } @@ -170,7 +166,7 @@ static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct && packet->payload[8] == 0x01 && packet->payload[9] == 0x01 && packet->payload[10] == 0x00 && packet->payload[11] == 0x14 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if V. \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast with if V. \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } @@ -181,7 +177,7 @@ static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct && packet->payload[8] == 0x06 && packet->payload[9] == 0x01 && packet->payload[10] == 0x01 && packet->payload[11] == 0x16 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VI. \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast with if VI. \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } @@ -191,14 +187,14 @@ static void ndpi_search_sopcast_udp(struct ndpi_detection_module_struct && packet->payload[10] == 0x00 && packet->payload[11] == 0x44 && packet->payload[16] == 0x01 && packet->payload[15] == 0x01 && packet->payload[12] == 0x00 && packet->payload[13] == 0x00 && packet->payload[14] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "found sopcast with if VII. \n"); + NDPI_LOG_INFO(ndpi_struct, "found sopcast with if VII. \n"); ndpi_int_sopcast_add_connection(ndpi_struct, flow); return; } /* Attention please: no asymmetric detection necessary. This detection works asymmetrically as well. */ - NDPI_LOG(NDPI_PROTOCOL_SOPCAST, ndpi_struct, NDPI_LOG_DEBUG, "exclude sopcast. \n"); + NDPI_LOG_DBG(ndpi_struct, "exclude sopcast. \n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOPCAST); } diff --git a/src/lib/protocols/soulseek.c b/src/lib/protocols/soulseek.c index c7acc3bdc..8f4bbb32c 100644 --- a/src/lib/protocols/soulseek.c +++ b/src/lib/protocols/soulseek.c @@ -20,10 +20,21 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_SOULSEEK +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SOULSEEK + +#include "ndpi_api.h" + +#define SOULSEEK_DETECT \ + if(src != NULL) \ + src->soulseek_last_safe_access_time = packet->tick_timestamp; \ + if(dst != NULL) \ + dst->soulseek_last_safe_access_time = packet->tick_timestamp; \ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN) void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -36,14 +47,14 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp) { if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SOULSEEK) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "packet marked as Soulseek\n"); + NDPI_LOG_DBG2(ndpi_struct, "packet marked as Soulseek\n"); if(src != NULL) - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, " SRC bitmask: %u, packet tick %llu , last safe access timestamp: %llu\n", NDPI_COMPARE_PROTOCOL_TO_BITMASK(src->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) src->soulseek_last_safe_access_time); if(dst != NULL) - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, " DST bitmask: %u, packet tick %llu , last safe ts: %llu\n", NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK) != 0 ? 1 : 0, (u_int64_t) packet->tick_timestamp, (u_int64_t) dst->soulseek_last_safe_access_time); @@ -65,13 +76,13 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, } if(src != NULL && ((u_int32_t)(packet->tick_timestamp - src->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "Soulseek: SRC update last safe access time and SKIP_FOR_TIME \n"); src->soulseek_last_safe_access_time = packet->tick_timestamp; } if(dst != NULL && ((u_int32_t)(packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "Soulseek: DST update last safe access time and SKIP_FOR_TIME \n"); dst->soulseek_last_safe_access_time = packet->tick_timestamp; } @@ -81,7 +92,7 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(dst != NULL && dst->soulseek_listen_port != 0 && dst->soulseek_listen_port == ntohs(packet->tcp->dest) && ((u_int32_t)(packet->tick_timestamp - dst->soulseek_last_safe_access_time) < ndpi_struct->soulseek_connection_ip_tick_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "Soulseek: Plain detection on Port : %u packet_tick_timestamp: %u soulseek_last_safe_access_time: %u soulseek_connection_ip_ticktimeout: %u\n", dst->soulseek_listen_port, packet->tick_timestamp, dst->soulseek_last_safe_access_time, ndpi_struct->soulseek_connection_ip_tick_timeout); @@ -89,6 +100,7 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(src != NULL) src->soulseek_last_safe_access_time = packet->tick_timestamp; + NDPI_LOG_INFO(ndpi_struct, "found Soulseek\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); return; } @@ -121,14 +133,8 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, index += get_l32(packet->payload, index + 4) + 8; // enf of "hash value" if(index == get_l32(packet->payload, 0)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Login Detected\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek Login Detected\n"); + SOULSEEK_DETECT; return; } } @@ -142,7 +148,7 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(msgcode == 0x7d) { flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Messages Search\n"); + NDPI_LOG_DBG2(ndpi_struct, "Soulseek Messages Search\n"); return; } else if(msgcode == 0x02 && packet->payload_packet_len == 12) { const u_int32_t soulseek_listen_port = get_l32(packet->payload, 8); @@ -152,7 +158,7 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->tcp != NULL && src->soulseek_listen_port == 0) { src->soulseek_listen_port = soulseek_listen_port; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "\n Listen Port Saved : %u", src->soulseek_listen_port); + NDPI_LOG_DBG2(ndpi_struct, "\n Listen Port Saved : %u", src->soulseek_listen_port); if(dst != NULL) dst->soulseek_last_safe_access_time = packet->tick_timestamp; @@ -171,25 +177,17 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, && namelen <= packet->payload_packet_len && (4 + 1 + 4 + namelen + 4 + 1 + 4) == packet->payload_packet_len && (type == 'F' || type == 'P' || type == 'D')) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek\n"); + SOULSEEK_DETECT; return; } - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "1\n"); } - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "3\n"); + NDPI_LOG_DBG2(ndpi_struct, "3\n"); //Peer Message : Pierce Firewall if(packet->payload_packet_len == 9 && get_l32(packet->payload, 0) == 5 && packet->payload[4] <= 0x10 && get_u_int32_t(packet->payload, 5) != 0x00000000) { flow->l4.tcp.soulseek_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_TRACE, "Soulseek Size 9 Pierce Firewall\n"); + NDPI_LOG_DBG2(ndpi_struct, "Soulseek Size 9 Pierce Firewall\n"); return; } } @@ -202,14 +200,8 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, const u_int32_t typelen = get_l32(packet->payload, 4 + 1 + 4 + usrlen); const u_int8_t type = packet->payload[4 + 1 + 4 + usrlen + 4]; if(typelen == 1 && (type == 'F' || type == 'P' || type == 'D')) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Pattern command(D|P|F).\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek Pattern command(D|P|F)\n"); + SOULSEEK_DETECT; return; } } @@ -219,14 +211,8 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, if(packet->payload_packet_len > 8) { if((packet->payload[0] || packet->payload[1]) && get_l32(packet->payload, 4) == 9) { /* 9 is search result */ - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Second Pkt\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek Second Pkt\n"); + SOULSEEK_DETECT; return; } if(get_l32(packet->payload, 0) == packet->payload_packet_len - 4) { @@ -235,14 +221,8 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, { const u_int32_t usrlen = get_l32(packet->payload, 8); if(usrlen <= packet->payload_packet_len && 4 + 4 + 4 + usrlen == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "Soulseek Request Get Peer Address Detected\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek Request Get Peer Address Detected\n"); + SOULSEEK_DETECT; return; } } @@ -250,27 +230,15 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, } if(packet->payload_packet_len == 8 && get_l32(packet->payload, 4) == 0x00000004) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek\n"); + SOULSEEK_DETECT; return; } if(packet->payload_packet_len == 4 && get_u_int16_t(packet->payload, 2) == 0x00 && get_u_int16_t(packet->payload, 0) != 0x00) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek\n"); + SOULSEEK_DETECT; return; } else if(packet->payload_packet_len == 4) { flow->l4.tcp.soulseek_stage = 3; @@ -279,33 +247,21 @@ void ndpi_search_soulseek_tcp(struct ndpi_detection_module_struct *ndpi_struct, } else if(flow->l4.tcp.soulseek_stage == 1 + packet->packet_direction) { if(packet->payload_packet_len > 8) { if(packet->payload[4] == 0x03 && get_l32(packet->payload, 5) == 0x00000031) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected Second Pkt with SIGNATURE :: 0x0331000000 \n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek Second Pkt with SIGNATURE :: 0x0331000000 \n"); + SOULSEEK_DETECT; return; } } } if(flow->l4.tcp.soulseek_stage == 3 && packet->payload_packet_len == 8 && !get_u_int32_t(packet->payload, 4)) { - NDPI_LOG(NDPI_PROTOCOL_SOULSEEK, ndpi_struct, NDPI_LOG_DEBUG, "soulseek detected bcz of 8B pkt\n"); - - if(src != NULL) - src->soulseek_last_safe_access_time = packet->tick_timestamp; - if(dst != NULL) - dst->soulseek_last_safe_access_time = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SOULSEEK, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found soulseek bcz of 8B pkt\n"); + SOULSEEK_DETECT; return; } if(flow->l4.tcp.soulseek_stage && flow->packet_counter < 11) { } else { - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SOULSEEK); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } } diff --git a/src/lib/protocols/spotify.c b/src/lib/protocols/spotify.c index e7dac5d66..cd3ed1355 100644 --- a/src/lib/protocols/spotify.c +++ b/src/lib/protocols/spotify.c @@ -21,10 +21,15 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_api.h" #ifdef NDPI_PROTOCOL_SPOTIFY + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SPOTIFY + +#include "ndpi_api.h" + static void ndpi_int_spotify_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow, u_int8_t due_to_correlation) { @@ -46,7 +51,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, && (packet->udp->dest == spotify_port)) { if(payload_len > 2) { if(memcmp(packet->payload, "SpotUdp", 7) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SPOTIFY, ndpi_struct, NDPI_LOG_DEBUG, "Found spotify udp dissector.\n"); + NDPI_LOG_INFO(ndpi_struct, "found spotify udp dissector\n"); ndpi_int_spotify_add_connection(ndpi_struct, flow, 0); return; } @@ -58,7 +63,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, packet->payload[2] == 0x00 && packet->payload[3] == 0x00&& packet->payload[6] == 0x52 && packet->payload[7] == 0x0e && packet->payload[8] == 0x50 ) { - NDPI_LOG(NDPI_PROTOCOL_SPOTIFY, ndpi_struct, NDPI_LOG_DEBUG, "Found spotify tcp dissector.\n"); + NDPI_LOG_INFO(ndpi_struct, "found spotify tcp dissector\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN); } @@ -97,7 +102,7 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, || ((ntohl(packet->iph->saddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC284A200 /* 194.132.162.0 */) || ((ntohl(packet->iph->daddr) & 0xFFFFFC00 /* 255.255.252.0 */) == 0xC284A200 /* 194.132.162.0 */) ) { - NDPI_LOG(NDPI_PROTOCOL_SPOTIFY, ndpi_struct, NDPI_LOG_DEBUG, "Found spotify via ip range.\n"); + NDPI_LOG_INFO(ndpi_struct, "found spotify via ip range\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SPOTIFY, NDPI_PROTOCOL_UNKNOWN); return; } @@ -105,15 +110,14 @@ static void ndpi_check_spotify(struct ndpi_detection_module_struct *ndpi_struct, } } - NDPI_LOG(NDPI_PROTOCOL_SPOTIFY, ndpi_struct, NDPI_LOG_DEBUG, "exclude spotify.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SPOTIFY); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_spotify(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_SPOTIFY, ndpi_struct, NDPI_LOG_DEBUG, "spotify detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search spotify\n"); /* skip marked packets */ if (packet->detected_protocol_stack[0] != NDPI_PROTOCOL_SPOTIFY) { diff --git a/src/lib/protocols/ssdp.c b/src/lib/protocols/ssdp.c index 1f6b80023..ce681d9b6 100644 --- a/src/lib/protocols/ssdp.c +++ b/src/lib/protocols/ssdp.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SSDP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSDP + +#include "ndpi_api.h" + static void ndpi_int_ssdp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -38,10 +42,7 @@ void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct n { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "search ssdp.\n"); + NDPI_LOG_DBG(ndpi_struct, "search ssdp\n"); if (packet->udp != NULL) { if (packet->payload_packet_len > 100) { @@ -49,22 +50,21 @@ void ndpi_search_ssdp(struct ndpi_detection_module_struct *ndpi_struct, struct n || memcmp(packet->payload, "NOTIFY * HTTP/1.1", 17) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found ssdp\n"); ndpi_int_ssdp_add_connection(ndpi_struct, flow); return; } #define SSDP_HTTP "HTTP/1.1 200 OK\r\n" if(memcmp(packet->payload, SSDP_HTTP, strlen(SSDP_HTTP)) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "found ssdp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found ssdp\n"); ndpi_int_ssdp_add_connection(ndpi_struct, flow); return; } } } - NDPI_LOG(NDPI_PROTOCOL_SSDP, ndpi_struct, NDPI_LOG_DEBUG, "ssdp excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSDP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/ssh.c b/src/lib/protocols/ssh.c index cb874010f..bfd1c387e 100644 --- a/src/lib/protocols/ssh.c +++ b/src/lib/protocols/ssh.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SSH +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSH + +#include "ndpi_api.h" + static void ndpi_int_ssh_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow){ ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_SSH, NDPI_PROTOCOL_UNKNOWN); @@ -46,8 +50,6 @@ static void ndpi_ssh_zap_cr(char *str, int len) { void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; if (flow->l4.tcp.ssh_stage == 0) { if (packet->payload_packet_len > 7 && packet->payload_packet_len < 100 @@ -56,7 +58,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc strncpy(flow->protos.ssh.client_signature, (const char *)packet->payload, len); flow->protos.ssh.client_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.client_signature, len); - NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "ssh stage 0 passed\n"); + NDPI_LOG_DBG2(ndpi_struct, "ssh stage 0 passed\n"); flow->l4.tcp.ssh_stage = 1 + packet->packet_direction; return; } @@ -67,7 +69,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc strncpy(flow->protos.ssh.server_signature, (const char *)packet->payload, len); flow->protos.ssh.server_signature[len] = '\0'; ndpi_ssh_zap_cr(flow->protos.ssh.server_signature, len); - NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "found ssh\n"); + NDPI_LOG_INFO(ndpi_struct, "found ssh\n"); ndpi_int_ssh_add_connection(ndpi_struct, flow); return; @@ -75,7 +77,7 @@ void ndpi_search_ssh_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } } - NDPI_LOG(NDPI_PROTOCOL_SSH, ndpi_struct, NDPI_LOG_DEBUG, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); + NDPI_LOG_DBG(ndpi_struct, "excluding ssh at stage %d\n", flow->l4.tcp.ssh_stage); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSH); } diff --git a/src/lib/protocols/ssl.c b/src/lib/protocols/ssl.c index 5afca5389..e57e891e5 100644 --- a/src/lib/protocols/ssl.c +++ b/src/lib/protocols/ssl.c @@ -21,11 +21,15 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_api.h" #ifdef NDPI_PROTOCOL_SSL +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SSL + +#include "ndpi_api.h" + /* #define CERTIFICATE_DEBUG 1 */ #define NDPI_MAX_SSL_REQUEST_SIZE 10000 @@ -153,7 +157,7 @@ int getSSLcertificate(struct ndpi_detection_module_struct *ndpi_struct, { static u_int8_t id = 0; - printf("-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF); + NDPI_LOG_DBG2(ndpi_struct,"-> [%u] %02X\n", ++id, packet->payload[0] & 0xFF); } #endif @@ -363,7 +367,7 @@ int sslDetectProtocolFromCertificate(struct ndpi_detection_module_struct *ndpi_s if(rc > 0) { packet->ssl_certificate_detected++; #ifdef CERTIFICATE_DEBUG - printf("***** [SSL] %s\n", certificate); + NDPI_LOG_DBG2(ndpi_struct, "***** [SSL] %s\n", certificate); #endif u_int32_t subproto = ndpi_match_host_subprotocol(ndpi_struct, flow, certificate, strlen(certificate), NDPI_PROTOCOL_SSL); @@ -404,8 +408,6 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct { #if defined(NDPI_PROTOCOL_TOR) || defined(NDPI_PROTOCOL_VPN_X) || defined(NDPI_PROTOCOL_UNENCRYPTED_JABBER) || defined (NDPI_PROTOCOL_OSCAR) || defined (NDPI_PROTOCOL_ITUNES) || defined (NDPI_PROTOCOL_GMAIL) struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=flow->src; - // struct ndpi_id_struct *dst=flow->dst; u_int32_t a; u_int32_t end; #if defined(NDPI_PROTOCOL_UNENCRYPTED_JABBER) @@ -424,9 +426,9 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct #ifdef NDPI_PROTOCOL_UNENCRYPTED_JABBER if(packet->payload[a] == 't') { if(memcmp(&packet->payload[a], "talk.google.com", 15) == 0) { - NDPI_LOG(NDPI_PROTOCOL_UNENCRYPTED_JABBER, ndpi_struct, NDPI_LOG_DEBUG, "ssl jabber packet match\n"); if(NDPI_COMPARE_PROTOCOL_TO_BITMASK (ndpi_struct->detection_bitmask, NDPI_PROTOCOL_UNENCRYPTED_JABBER) != 0) { + NDPI_LOG_INFO(ndpi_struct, "found ssl jabber unencrypted\n"); ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_UNENCRYPTED_JABBER); return; } @@ -447,7 +449,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct && memcmp(&packet->payload[a], "http://ocsp.web.aol.com/ocsp", 28) == 0) || ((a + 32) < packet->payload_packet_len && memcmp(&packet->payload[a], "http://pki-info.aol.com/AOLMSPKI", 32) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); + NDPI_LOG_INFO(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); if(flow->dst != NULL && packet->payload_packet_len > 75) { memcpy(flow->dst->oscar_ssl_session_id, &packet->payload[44], 32); @@ -464,7 +466,7 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct if((a + 21) < packet->payload_packet_len && (memcmp(&packet->payload[a], "my.screenname.aol.com", 21) == 0 || memcmp(&packet->payload[a], "sns-static.aolcdn.com", 21) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_OSCAR, ndpi_struct, NDPI_LOG_DEBUG, "OSCAR SERVER SSL DETECTED\n"); + NDPI_LOG_DBG(ndpi_struct, "found OSCAR SERVER SSL DETECTED\n"); ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_OSCAR); return; } @@ -475,14 +477,16 @@ static void ssl_mark_and_payload_search_for_other_protocols(struct no_check_for_ssl_payload: #endif if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_UNKNOWN) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "found ssl connection.\n"); + NDPI_LOG_DBG(ndpi_struct, "found ssl connection\n"); sslDetectProtocolFromCertificate(ndpi_struct, flow); if(!packet->ssl_certificate_detected && (!(flow->l4.tcp.ssl_seen_client_cert && flow->l4.tcp.ssl_seen_server_cert))) { /* SSL without certificate (Skype, Ultrasurf?) */ + NDPI_LOG_INFO(ndpi_struct, "found ssl NO_CERT\n"); ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL_NO_CERT); } else + NDPI_LOG_INFO(ndpi_struct, "found ssl\n"); ndpi_int_ssl_add_connection(ndpi_struct, flow, NDPI_PROTOCOL_SSL); } } @@ -492,10 +496,6 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - // - // struct ndpi_id_struct *src=flow->src; - // struct ndpi_id_struct *dst=flow->dst; - if((packet->payload_packet_len >= 5) && (packet->payload[0] == 0x16) @@ -506,13 +506,13 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct || (packet->payload[2] == 0x03) )) { u_int32_t temp; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "search sslv3\n"); + NDPI_LOG_DBG2(ndpi_struct, "search sslv3\n"); // SSLv3 Record if(packet->payload_packet_len >= 1300) { return 1; } temp = ntohs(get_u_int16_t(packet->payload, 3)) + 5; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(packet->payload_packet_len == temp || (temp < packet->payload_packet_len && packet->payload_packet_len > 500)) { return 1; @@ -522,16 +522,16 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct /* the server hello may be split into small packets */ u_int32_t cert_start; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe SSLv3 server hello split into smaller packets\n"); /* lets hope at least the server hello and the start of the certificate block are in the first packet */ cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 4; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "suspected start of certificate: %u\n", + NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", cert_start); if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "found 0x0b at suspected start of certificate block\n"); return 2; } @@ -542,16 +542,16 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct * so temp contains only the length for the first ServerHello block */ u_int32_t cert_start; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe SSLv3 server hello split into smaller packets but with seperate record for the certificate\n"); /* lets hope at least the server hello record and the start of the certificate record are in the first packet */ cert_start = ntohs(get_u_int16_t(packet->payload, 7)) + 5 + 5 + 4; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "suspected start of certificate: %u\n", + NDPI_LOG_DBG2(ndpi_struct, "suspected start of certificate: %u\n", cert_start); if(cert_start < packet->payload_packet_len && packet->payload[cert_start] == 0x0b) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "found 0x0b at suspected start of certificate block\n"); return 2; } @@ -565,7 +565,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct return 1; } temp += temp2; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(packet->payload_packet_len == temp) { return 1; } @@ -576,7 +576,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct return 1; } temp += temp2; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(packet->payload_packet_len == temp) { return 1; } @@ -587,7 +587,7 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct return 1; } temp += temp2; - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "temp = %u.\n", temp); + NDPI_LOG_DBG2(ndpi_struct, "temp = %u\n", temp); if(temp == packet->payload_packet_len) { return 1; } @@ -602,10 +602,6 @@ static u_int8_t ndpi_search_sslv3_direction1(struct ndpi_detection_module_struct void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=flow->src; - // struct ndpi_id_struct *dst=flow->dst; - u_int8_t ret; if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { @@ -613,7 +609,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc /* this should only happen, when we detected SSL with a packet that had parts of the certificate in subsequent packets * so go on checking for certificate patterns for a couple more packets */ - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "ssl flow but check another packet for patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { @@ -627,7 +623,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc return; } - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "search ssl\n"); + NDPI_LOG_DBG(ndpi_struct, "search ssl\n"); { /* Check if this is whatsapp first (this proto runs over port 443) */ @@ -652,12 +648,12 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "first ssl packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "first ssl packet\n"); // SSLv2 Record if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) && (packet->payload_packet_len - packet->payload[1] == 2)) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv2 len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv2 len match\n"); flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; return; } @@ -666,7 +662,7 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc && (packet->payload[2] == 0x00 || packet->payload[2] == 0x01 || packet->payload[2] == 0x02) && (packet->payload_packet_len - ntohs(get_u_int16_t(packet->payload, 3)) == 5)) { // SSLv3 Record - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv3 len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv3 len match\n"); flow->l4.tcp.ssl_stage = 1 + packet->packet_direction; return; } @@ -679,23 +675,23 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } if(packet->payload_packet_len > 40 && flow->l4.tcp.ssl_stage == 2 - packet->packet_direction) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "second ssl packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "second ssl packet\n"); // SSLv2 Record if(packet->payload[2] == 0x01 && packet->payload[3] == 0x03 && (packet->payload[4] == 0x00 || packet->payload[4] == 0x01 || packet->payload[4] == 0x02) && (packet->payload_packet_len - 2) >= packet->payload[1]) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv2 server len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv2 server len match\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); return; } ret = ndpi_search_sslv3_direction1(ndpi_struct, flow); if(ret == 1) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "sslv3 server len match\n"); + NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); return; } else if(ret == 2) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "sslv3 server len match with split packet -> check some more packets for SSL patterns\n"); ssl_mark_and_payload_search_for_other_protocols(ndpi_struct, flow); if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { @@ -705,13 +701,12 @@ void ndpi_search_ssl_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc } if(packet->payload_packet_len > 40 && flow->packet_direction_counter[packet->packet_direction] < 5) { - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "need next packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next packet\n"); return; } } - NDPI_LOG(NDPI_PROTOCOL_SSL, ndpi_struct, NDPI_LOG_DEBUG, "exclude ssl\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SSL); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/starcraft.c b/src/lib/protocols/starcraft.c index 760578563..73cdd0b12 100644 --- a/src/lib/protocols/starcraft.c +++ b/src/lib/protocols/starcraft.c @@ -19,11 +19,15 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_STARCRAFT +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STARCRAFT + +#include "ndpi_api.h" + + /* Sender or receiver are one of the known login portals? */ u_int8_t sc2_match_logon_ip(struct ndpi_packet_struct* packet) { @@ -112,7 +116,7 @@ u_int8_t ndpi_check_starcraft_udp(struct ndpi_detection_module_struct* ndpi_stru void ndpi_search_starcraft(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) { - NDPI_LOG(NDPI_PROTOCOL_STARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "Starcraft protocol detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search Starcraft\n"); if (flow->packet.detected_protocol_stack[0] != NDPI_PROTOCOL_STARCRAFT) { struct ndpi_packet_struct* packet = &flow->packet; int8_t result = 0; @@ -120,24 +124,22 @@ void ndpi_search_starcraft(struct ndpi_detection_module_struct* ndpi_struct, str if (packet->udp != NULL) { result = ndpi_check_starcraft_udp(ndpi_struct, flow); if (result == 1) { - //printf("Found Starcraft 2 [Game, UDP]\n"); - NDPI_LOG(NDPI_PROTOCOL_STARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "Found Starcraft 2 [Game, UDP]\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Starcraft 2 [Game, UDP]\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STARCRAFT, NDPI_PROTOCOL_UNKNOWN); + return; } } else if (packet->tcp != NULL) { result = ndpi_check_starcraft_tcp(ndpi_struct, flow); if (result == 1) { - //printf("Found Starcraft 2 [Client, TCP]\n"); - NDPI_LOG(NDPI_PROTOCOL_STARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "Found Starcraft 2 [Client, TCP]\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Starcraft 2 [Client, TCP]\n"); + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STARCRAFT, NDPI_PROTOCOL_UNKNOWN); + return; } } - if (result == 1) { - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STARCRAFT, NDPI_PROTOCOL_UNKNOWN); - } - else if (result == -1) { - NDPI_LOG(NDPI_PROTOCOL_STARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "Starcraft excluded\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STARCRAFT); + if (result == -1) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } } diff --git a/src/lib/protocols/stealthnet.c b/src/lib/protocols/stealthnet.c index 09e6c18d4..8bd75b1a3 100644 --- a/src/lib/protocols/stealthnet.c +++ b/src/lib/protocols/stealthnet.c @@ -22,11 +22,14 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_STEALTHNET +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STEALTHNET + +#include "ndpi_api.h" + static void ndpi_int_stealthnet_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -39,20 +42,16 @@ void ndpi_search_stealthnet(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src = flow->src; - // struct ndpi_id_struct *dst = flow->dst; - + NDPI_LOG_DBG(ndpi_struct, "search stealthnet\n"); if (packet->payload_packet_len > 40 && memcmp(packet->payload, "LARS REGENSBURGER'S FILE SHARING PROTOCOL", 41) == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "found stealthnet\n"); + NDPI_LOG_INFO(ndpi_struct, "found stealthnet\n"); ndpi_int_stealthnet_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_STEALTHNET, ndpi_struct, NDPI_LOG_DEBUG, "exclude stealthnet.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEALTHNET); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/steam.c b/src/lib/protocols/steam.c index d12a0cb4b..64eaa04fe 100644 --- a/src/lib/protocols/steam.c +++ b/src/lib/protocols/steam.c @@ -23,10 +23,14 @@ * along with nDPI. If not, see . * */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_STEAM + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STEAM #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_STEAM static void ndpi_int_steam_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_STEAM, NDPI_PROTOCOL_UNKNOWN); } @@ -38,7 +42,7 @@ static void ndpi_check_steam_http(struct ndpi_detection_module_struct *ndpi_stru if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 23 && memcmp(packet->user_agent_line.ptr, "Valve/Steam HTTP Client", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } } @@ -48,10 +52,10 @@ static void ndpi_check_steam_tcp(struct ndpi_detection_module_struct *ndpi_struc u_int32_t payload_len = packet->payload_packet_len; if (flow->steam_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage 0: \n"); if ((payload_len == 1 && packet->payload[0] == 0x01) || ((payload_len == 4 || payload_len == 5) && ndpi_match_strprefix(packet->payload, payload_len, "\x01\x00\x00\x00"))) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible STEAM request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->steam_stage = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 @@ -59,14 +63,14 @@ static void ndpi_check_steam_tcp(struct ndpi_detection_module_struct *ndpi_struc } if ((payload_len == 1 && packet->payload[0] == 0x00) || ((payload_len == 4 || payload_len == 5) && ndpi_match_strprefix(packet->payload, payload_len, "\x00\x00\x00"))) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible STEAM request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->steam_stage = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 return; } } else if ((flow->steam_stage == 1) || (flow->steam_stage == 2)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage %u: \n", flow->steam_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->steam_stage - packet->packet_direction) == 1) { @@ -75,14 +79,14 @@ static void ndpi_check_steam_tcp(struct ndpi_detection_module_struct *ndpi_struc /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 1 && packet->payload[0] == 0x00) || ((payload_len == 4 || payload_len == 5) && ndpi_match_strprefix(packet->payload, payload_len, "\x00\x00\x00"))) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to STEAM, resetting the stage to 0..\n"); flow->steam_stage = 0; } } else if ((flow->steam_stage == 3) || (flow->steam_stage == 4)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage %u: \n", flow->steam_stage); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->steam_stage - packet->packet_direction) == 3) { @@ -91,10 +95,10 @@ static void ndpi_check_steam_tcp(struct ndpi_detection_module_struct *ndpi_struc /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 1 && packet->payload[0] == 0x01) || ((payload_len == 4 || payload_len == 5) && ndpi_match_strprefix(packet->payload, payload_len, "\x01\x00\x00\x00"))) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to STEAM, resetting the stage to 0..\n"); flow->steam_stage = 0; } } @@ -105,17 +109,17 @@ static void ndpi_check_steam_udp1(struct ndpi_detection_module_struct *ndpi_stru u_int32_t payload_len = packet->payload_packet_len; if (ndpi_match_strprefix(packet->payload, payload_len, "VS01")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); return; } /* Check if we so far detected the protocol in the request or not. */ if (flow->steam_stage1 == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage 0: \n"); if (ndpi_match_strprefix(packet->payload, payload_len, "\x31\xff\x30\x2e")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible STEAM request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->steam_stage1 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 @@ -123,7 +127,7 @@ static void ndpi_check_steam_udp1(struct ndpi_detection_module_struct *ndpi_stru } if (ndpi_match_strprefix(packet->payload, payload_len, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible STEAM request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->steam_stage1 = packet->packet_direction + 3; // packet_direction 0: stage 3, packet_direction 1: stage 4 @@ -131,7 +135,7 @@ static void ndpi_check_steam_udp1(struct ndpi_detection_module_struct *ndpi_stru } } else if ((flow->steam_stage1 == 1) || (flow->steam_stage1 == 2)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage1); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage %u: \n", flow->steam_stage1); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->steam_stage1 - packet->packet_direction) == 1) { @@ -140,15 +144,15 @@ static void ndpi_check_steam_udp1(struct ndpi_detection_module_struct *ndpi_stru /* This is a packet in another direction. Check if we find the proper response. */ if (ndpi_match_strprefix(packet->payload, payload_len, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to STEAM, resetting the stage to 0..\n"); flow->steam_stage1 = 0; } } else if ((flow->steam_stage1 == 3) || (flow->steam_stage1 == 4)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage1); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage %u: \n", flow->steam_stage1); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->steam_stage1 - packet->packet_direction) == 3) { @@ -157,10 +161,10 @@ static void ndpi_check_steam_udp1(struct ndpi_detection_module_struct *ndpi_stru /* This is a packet in another direction. Check if we find the proper response. */ if (ndpi_match_strprefix(packet->payload, payload_len, "\x31\xff\x30\x2e")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + NDPI_LOG_DBG(ndpi_struct, "The reply did not seem to belong to STEAM, resetting the stage to 0..\n"); flow->steam_stage1 = 0; } @@ -173,17 +177,17 @@ static void ndpi_check_steam_udp2(struct ndpi_detection_module_struct *ndpi_stru /* Check if we so far detected the protocol in the request or not. */ if (flow->steam_stage2 == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage 0: \n"); if ((payload_len == 25) && ndpi_match_strprefix(packet->payload, payload_len, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible STEAM request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->steam_stage2 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 } } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage2); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage %u: \n", flow->steam_stage2); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->steam_stage2 - packet->packet_direction) == 1) { @@ -192,10 +196,10 @@ static void ndpi_check_steam_udp2(struct ndpi_detection_module_struct *ndpi_stru /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 0) || ndpi_match_strprefix(packet->payload, payload_len, "\xff\xff\xff\xff")) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to STEAM, resetting the stage to 0..\n"); flow->steam_stage2 = 0; } @@ -208,17 +212,17 @@ static void ndpi_check_steam_udp3(struct ndpi_detection_module_struct *ndpi_stru /* Check if we so far detected the protocol in the request or not. */ if (flow->steam_stage3 == 0) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage 0: \n"); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage 0: \n"); if ((payload_len == 4) && (packet->payload[0] == 0x39) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00)) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Possible STEAM request detected, we will look further for the response...\n"); + NDPI_LOG_DBG2(ndpi_struct, "Possible STEAM request detected, we will look further for the response..\n"); /* Encode the direction of the packet in the stage, so we will know when we need to look for the response packet. */ flow->steam_stage3 = packet->packet_direction + 1; // packet_direction 0: stage 1, packet_direction 1: stage 2 } } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM stage %u: \n", flow->steam_stage3); + NDPI_LOG_DBG2(ndpi_struct, "STEAM stage %u: \n", flow->steam_stage3); /* At first check, if this is for sure a response packet (in another direction. If not, do nothing now and return. */ if ((flow->steam_stage3 - packet->packet_direction) == 1) { @@ -227,10 +231,10 @@ static void ndpi_check_steam_udp3(struct ndpi_detection_module_struct *ndpi_stru /* This is a packet in another direction. Check if we find the proper response. */ if ((payload_len == 0) || ((payload_len == 8) && (packet->payload[0] == 0x3a) && (packet->payload[1] == 0x18) && (packet->payload[2] == 0x00) && (packet->payload[3] == 0x00))) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Found STEAM.\n"); + NDPI_LOG_INFO(ndpi_struct, "found STEAM\n"); ndpi_int_steam_add_connection(ndpi_struct, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "The reply did not seem to belong to STEAM, resetting the stage to 0...\n"); + NDPI_LOG_DBG2(ndpi_struct, "The reply did not seem to belong to STEAM, resetting the stage to 0..\n"); flow->steam_stage3 = 0; } @@ -242,8 +246,7 @@ void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct /* Break after 20 packets. */ if (flow->packet_counter > 20) { - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "Exclude STEAM.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STEAM); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -256,7 +259,7 @@ void ndpi_search_steam(struct ndpi_detection_module_struct *ndpi_struct, struct return; } - NDPI_LOG(NDPI_PROTOCOL_STEAM, ndpi_struct, NDPI_LOG_DEBUG, "STEAM detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search STEAM\n"); ndpi_check_steam_http(ndpi_struct, flow); if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_STEAM) { diff --git a/src/lib/protocols/stun.c b/src/lib/protocols/stun.c index d44d9c26e..53f39c4d6 100644 --- a/src/lib/protocols/stun.c +++ b/src/lib/protocols/stun.c @@ -21,10 +21,14 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_STUN +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_STUN + +#include "ndpi_api.h" #define MAX_NUM_STUN_PKTS 10 @@ -64,7 +68,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if((strncmp((const char*)payload, (const char*)"RSP/", 4) == 0) && (strncmp((const char*)&payload[7], (const char*)" STUN_", 6) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "Found stun.\n"); + NDPI_LOG_INFO(ndpi_struct, "found stun\n"); goto udp_stun_found; } @@ -159,10 +163,10 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * u_int8_t mod; u_int8_t old = 1; u_int8_t padding = 0; - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "len and type match.\n"); + NDPI_LOG_DBG2(ndpi_struct, "len and type match\n"); if(payload_length == 20) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found stun.\n"); + NDPI_LOG_INFO(ndpi_struct, "found stun\n"); goto udp_stun_found; } @@ -183,7 +187,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * || payload[a + 1] == 0x2a || payload[a + 1] == 0x29 || payload[a + 1] == 0x50 || payload[a + 1] == 0x54 || payload[a + 1] == 0x55)))) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "attribute match.\n"); + NDPI_LOG_DBG2(ndpi_struct, "attribute match\n"); a += ((payload[a + 2] << 8) + payload[a + 3] + 4); mod = a % 4; @@ -191,7 +195,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * padding = 4 - mod; } if(a == payload_length || (padding && (a + padding) == payload_length)) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found stun.\n"); + NDPI_LOG_INFO(ndpi_struct, "found stun\n"); goto udp_stun_found; } @@ -215,7 +219,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * if((payload[a + padding] == 0x40) && (payload[a + padding + 1] == 0x00)) goto udp_stun_found; - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "New STUN - attribute match.\n"); + NDPI_LOG_DBG2(ndpi_struct, "New STUN - attribute match\n"); old = 0; a += ((payload[a + 2 + padding] << 8) + payload[a + 3 + padding] + 4); @@ -225,7 +229,7 @@ static ndpi_int_stun_t ndpi_int_check_stun(struct ndpi_detection_module_struct * a += 4 - mod; } if(a == payload_length) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found stun.\n"); + NDPI_LOG_INFO(ndpi_struct, "found stun\n"); goto udp_stun_found; } } else { @@ -254,7 +258,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n struct ndpi_packet_struct *packet = &flow->packet; u_int8_t is_whatsapp = 0, is_skype = 0; - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "search stun.\n"); + NDPI_LOG_DBG(ndpi_struct, "search stun\n"); if(packet->tcp) { /* STUN may be encapsulated in TCP packets */ @@ -267,10 +271,10 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload + 2, packet->payload_packet_len - 2, &is_whatsapp, &is_skype) == NDPI_IS_STUN) { if(is_skype) { - NDPI_LOG(NDPI_PROTOCOL_SKYPE, ndpi_struct, NDPI_LOG_DEBUG, "Found Skype\n"); + NDPI_LOG_INFO(ndpi_struct, "found Skype\n"); ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_SKYPE, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); + NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); ndpi_int_stun_add_connection(ndpi_struct, is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_STUN, flow); } @@ -282,10 +286,10 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n if(ndpi_int_check_stun(ndpi_struct, flow, packet->payload, packet->payload_packet_len, &is_whatsapp, &is_skype) == NDPI_IS_STUN) { if(is_skype) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "Found Skype\n"); + NDPI_LOG_INFO(ndpi_struct, "Found Skype\n"); ndpi_int_stun_add_connection(ndpi_struct, NDPI_PROTOCOL_SKYPE, flow); } else { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "found UDP stun.\n"); + NDPI_LOG_INFO(ndpi_struct, "found UDP stun\n"); ndpi_int_stun_add_connection(ndpi_struct, is_whatsapp ? NDPI_PROTOCOL_WHATSAPP_VOICE : NDPI_PROTOCOL_STUN, flow); } @@ -293,8 +297,7 @@ void ndpi_search_stun(struct ndpi_detection_module_struct *ndpi_struct, struct n } if(flow->num_stun_udp_pkts >= MAX_NUM_STUN_PKTS) { - NDPI_LOG(NDPI_PROTOCOL_STUN, ndpi_struct, NDPI_LOG_DEBUG, "exclude stun.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_STUN); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/syslog.c b/src/lib/protocols/syslog.c index 589f40f21..d83cd99f7 100644 --- a/src/lib/protocols/syslog.c +++ b/src/lib/protocols/syslog.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_SYSLOG +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_SYSLOG + +#include "ndpi_api.h" + static void ndpi_int_syslog_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -36,45 +40,41 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int8_t i; - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "search syslog\n"); + NDPI_LOG_DBG(ndpi_struct, "search syslog\n"); if (packet->payload_packet_len > 20 && packet->payload_packet_len <= 1024 && packet->payload[0] == '<') { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "checked len>20 and <1024 and first symbol=<.\n"); + NDPI_LOG_DBG2(ndpi_struct, "checked len>20 and <1024 and first symbol=<\n"); for (i = 1; i <= 3; i++) { if (packet->payload[i] < '0' || packet->payload[i] > '9') { break; } } - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "read symbols while the symbol is a number.\n"); if (packet->payload[i++] != '>') { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "there is no > following the number.\n"); + NDPI_LOG_DBG(ndpi_struct, "excluded, there is no > following the number\n"); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); return; } else { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "a > following the number.\n"); + NDPI_LOG_DBG2(ndpi_struct, "a > following the number\n"); } if (packet->payload[i] == 0x20) { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "a blank following the >: increment i.\n"); + NDPI_LOG_DBG2(ndpi_struct, "a blank following the >: increment i\n"); i++; } else { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "no blank following the >: do nothing.\n"); + NDPI_LOG_DBG2(ndpi_struct, "no blank following the >: do nothing\n"); } /* check for "last message repeated" */ if (i + sizeof("last message") - 1 <= packet->payload_packet_len && memcmp(packet->payload + i, "last message", sizeof("last message") - 1) == 0) { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "found syslog by 'last message' string.\n"); + NDPI_LOG_INFO(ndpi_struct, "found syslog by 'last message' string\n"); ndpi_int_syslog_add_connection(ndpi_struct, flow); @@ -84,7 +84,7 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct /* snort events */ - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "found syslog by 'snort: ' string.\n"); + NDPI_LOG_INFO(ndpi_struct, "found syslog by 'snort: ' string\n"); ndpi_int_syslog_add_connection(ndpi_struct, flow); @@ -103,27 +103,20 @@ void ndpi_search_syslog(struct ndpi_detection_module_struct && memcmp(&packet->payload[i], "Oct", 3) != 0 && memcmp(&packet->payload[i], "Nov", 3) != 0 && memcmp(&packet->payload[i], "Dec", 3) != 0) { - - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, - "no month-shortname following: syslog excluded.\n"); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } else { - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, - "a month-shortname following: syslog detected.\n"); + NDPI_LOG_INFO(ndpi_struct, "found syslog\n"); ndpi_int_syslog_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_SYSLOG, ndpi_struct, NDPI_LOG_DEBUG, "no syslog detected.\n"); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_SYSLOG); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/teamspeak.c b/src/lib/protocols/teamspeak.c index fd8a296fb..df13c9756 100644 --- a/src/lib/protocols/teamspeak.c +++ b/src/lib/protocols/teamspeak.c @@ -17,49 +17,53 @@ * If not, see . */ -#include "ndpi_api.h" - +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_TEAMSPEAK +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TEAMSPEAK + +#include "ndpi_api.h" + static void ndpi_int_teamspeak_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEAMSPEAK, NDPI_PROTOCOL_UNKNOWN); } - u_int16_t tdport = 0, tsport = 0; - u_int16_t udport = 0, usport = 0; void ndpi_search_teamspeak(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - struct ndpi_packet_struct *packet = &flow->packet; + struct ndpi_packet_struct *packet = &flow->packet; -if (packet->udp != NULL) { - usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest); - /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ - if (((usport == 9987 || udport == 9987) || (usport == 8767 || udport == 8767)) && packet->payload_packet_len >= 20) { - NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "found TEAMSPEAK udp.\n"); - ndpi_int_teamspeak_add_connection(ndpi_struct, flow); + NDPI_LOG_DBG(ndpi_struct, "search teamspeak\n"); + + if (packet->udp != NULL) { + u_int16_t udport, usport; + usport = ntohs(packet->udp->source), udport = ntohs(packet->udp->dest); + /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ + if (((usport == 9987 || udport == 9987) || (usport == 8767 || udport == 8767)) && packet->payload_packet_len >= 20) { + NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK udp\n"); + ndpi_int_teamspeak_add_connection(ndpi_struct, flow); + } } -} -else if (packet->tcp != NULL) { - tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest); + else if (packet->tcp != NULL) { + u_int16_t tdport, tsport; + tsport = ntohs(packet->tcp->source), tdport = ntohs(packet->tcp->dest); /* https://github.com/Youx/soliloque-server/wiki/Connection-packet */ if(packet->payload_packet_len >= 20) { if (((memcmp(packet->payload, "\xf4\xbe\x03\x00", 4) == 0)) || ((memcmp(packet->payload, "\xf4\xbe\x02\x00", 4) == 0)) || ((memcmp(packet->payload, "\xf4\xbe\x01\x00", 4) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "found TEAMSPEAK tcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK tcp\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); } /* http://www.imfirewall.com/en/protocols/teamSpeak.htm */ } else if ((tsport == 14534 || tdport == 14534) || (tsport == 51234 || tdport == 51234)) { - NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "found TEAMSPEAK.\n"); + NDPI_LOG_INFO(ndpi_struct, "found TEAMSPEAK\n"); ndpi_int_teamspeak_add_connection(ndpi_struct, flow); } } - NDPI_LOG(NDPI_PROTOCOL_TEAMSPEAK, ndpi_struct, NDPI_LOG_DEBUG, "TEAMSPEAK excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TEAMSPEAK); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } diff --git a/src/lib/protocols/teamviewer.c b/src/lib/protocols/teamviewer.c index b97f6b157..f06e40a73 100644 --- a/src/lib/protocols/teamviewer.c +++ b/src/lib/protocols/teamviewer.c @@ -22,23 +22,28 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_TEAMVIEWER +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TEAMVIEWER + +#include "ndpi_api.h" + + static void ndpi_int_teamview_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEAMVIEWER, NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_TEAMVIEWER, ndpi_struct, NDPI_LOG_TRACE, "TEAMWIEWER Found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found teamwiewer\n"); } void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_TEAMVIEWER, ndpi_struct, NDPI_LOG_TRACE, "TEAMWIEWER detection...\n"); + + NDPI_LOG_DBG(ndpi_struct, "search teamwiewer\n"); /* TeamViewer 178.77.120.0/25 @@ -95,7 +100,7 @@ void ndpi_search_teamview(struct ndpi_detection_module_struct *ndpi_struct, stru } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TEAMVIEWER); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/telegram.c b/src/lib/protocols/telegram.c index 6d71dc844..d80f5f6b5 100644 --- a/src/lib/protocols/telegram.c +++ b/src/lib/protocols/telegram.c @@ -23,15 +23,19 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_TELEGRAM +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TELEGRAM + +#include "ndpi_api.h" + static void ndpi_int_telegram_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TELEGRAM, NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_TELEGRAM, ndpi_struct, NDPI_LOG_TRACE, "TELEGRAM Found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found telegram\n"); } @@ -40,7 +44,7 @@ void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struct, stru struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport /* , sport */; - NDPI_LOG(NDPI_PROTOCOL_TELEGRAM, ndpi_struct, NDPI_LOG_TRACE, "TELEGRAM detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search telegram\n"); if (packet->payload_packet_len == 0) return; @@ -63,7 +67,7 @@ void ndpi_search_telegram(struct ndpi_detection_module_struct *ndpi_struct, stru } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TELEGRAM); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/telnet.c b/src/lib/protocols/telnet.c index 0be921d44..17618f795 100644 --- a/src/lib/protocols/telnet.c +++ b/src/lib/protocols/telnet.c @@ -23,9 +23,13 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" + #ifdef NDPI_PROTOCOL_TELNET +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TELNET + +#include "ndpi_api.h" static void ndpi_int_telnet_add_connection(struct ndpi_detection_module_struct @@ -76,30 +80,25 @@ u_int8_t search_iac(struct ndpi_detection_module_struct *ndpi_struct, struct ndp void ndpi_search_telnet_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { - // struct ndpi_packet_struct *packet = &flow->packet; - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "search telnet.\n"); + NDPI_LOG_DBG(ndpi_struct, "search telnet\n"); if (search_iac(ndpi_struct, flow) == 1) { if (flow->l4.tcp.telnet_stage == 2) { - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet identified.\n"); + NDPI_LOG_INFO(ndpi_struct, "found telnet\n"); ndpi_int_telnet_add_connection(ndpi_struct, flow); return; } flow->l4.tcp.telnet_stage++; - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet stage %u.\n", flow->l4.tcp.telnet_stage); + NDPI_LOG_DBG2(ndpi_struct, "telnet stage %u\n", flow->l4.tcp.telnet_stage); return; } if ((flow->packet_counter < 12 && flow->l4.tcp.telnet_stage > 0) || flow->packet_counter < 6) { return; } else { - NDPI_LOG(NDPI_PROTOCOL_TELNET, ndpi_struct, NDPI_LOG_DEBUG, "telnet excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TELNET); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } return; } diff --git a/src/lib/protocols/teredo.c b/src/lib/protocols/teredo.c index 079d1fbcd..2439f997b 100644 --- a/src/lib/protocols/teredo.c +++ b/src/lib/protocols/teredo.c @@ -18,24 +18,30 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_TEREDO +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TEREDO + +#include "ndpi_api.h" + /* https://en.wikipedia.org/wiki/Teredo_tunneling */ void ndpi_search_teredo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct,"search teredo\n"); if(packet->udp && packet->iph && ((ntohl(packet->iph->daddr) & 0xF0000000) == 0xE0000000 /* A multicast address */) && ((ntohs(packet->udp->source) == 3544) || (ntohs(packet->udp->dest) == 3544)) - && (packet->payload_packet_len >= 40 /* IPv6 header */)) + && (packet->payload_packet_len >= 40 /* IPv6 header */)) { + NDPI_LOG_INFO(ndpi_struct,"found teredo\n"); ndpi_int_change_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TEREDO, NDPI_PROTOCOL_UNKNOWN); - else - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TEREDO); + } else { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } } diff --git a/src/lib/protocols/tftp.c b/src/lib/protocols/tftp.c index feb37e620..082e04326 100644 --- a/src/lib/protocols/tftp.c +++ b/src/lib/protocols/tftp.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_TFTP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TFTP + +#include "ndpi_api.h" + static void ndpi_int_tftp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -37,30 +41,29 @@ void ndpi_search_tftp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "search TFTP.\n"); + NDPI_LOG_DBG(ndpi_struct, "search TFTP\n"); if (packet->payload_packet_len > 3 && flow->l4.udp.tftp_stage == 0 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00030001) { - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "maybe tftp. need next packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe tftp. need next packet\n"); flow->l4.udp.tftp_stage = 1; return; } if (packet->payload_packet_len > 3 && (flow->l4.udp.tftp_stage == 1) && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040001) { - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "found tftp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found tftp\n"); ndpi_int_tftp_add_connection(ndpi_struct, flow); return; } if (packet->payload_packet_len > 1 && ((packet->payload[0] == 0 && packet->payload[packet->payload_packet_len - 1] == 0) || (packet->payload_packet_len == 4 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x00040000))) { - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "skip initial packet.\n"); + NDPI_LOG_DBG2(ndpi_struct, "skip initial packet\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_TFTP, ndpi_struct, NDPI_LOG_DEBUG, "exclude TFTP.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TFTP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/thunder.c b/src/lib/protocols/thunder.c index f0198cdda..2818d873d 100644 --- a/src/lib/protocols/thunder.c +++ b/src/lib/protocols/thunder.c @@ -22,10 +22,15 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_THUNDER +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_THUNDER + +#include "ndpi_api.h" + + static void ndpi_int_thunder_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , ndpi_protocol_type_t protocol_type */) { @@ -55,26 +60,21 @@ void ndpi_int_search_thunder_udp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { if (flow->thunder_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER udp detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found THUNDER udp\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow); return; } flow->thunder_stage++; - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe thunder udp packet detected, stage increased to %u\n", flow->thunder_stage); return; } - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "excluding thunder udp at stage %u\n", flow->thunder_stage); - + NDPI_LOG_DBG(ndpi_struct, "excluding thunder udp at stage %u\n", flow->thunder_stage); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); } @@ -89,19 +89,16 @@ void ndpi_int_search_thunder_tcp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - if (packet->payload_packet_len > 8 && packet->payload[0] >= 0x30 && packet->payload[0] < 0x40 && packet->payload[1] == 0 && packet->payload[2] == 0 && packet->payload[3] == 0) { if (flow->thunder_stage == 3) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "THUNDER tcp detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found THUNDER tcp\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow); return; } flow->thunder_stage++; - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe thunder tcp packet detected, stage increased to %u\n", flow->thunder_stage); return; } @@ -110,7 +107,7 @@ void ndpi_int_search_thunder_tcp(struct ndpi_detection_module_struct && memcmp(packet->payload, "POST / HTTP/1.1\r\n", 17) == 0) { ndpi_parse_packet_line_info(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "maybe thunder http POST packet detected, parsed packet lines: %u, empty line set %u (at: %u)\n", packet->parsed_lines, packet->empty_line_position_set, packet->empty_line_position); @@ -124,15 +121,13 @@ void ndpi_int_search_thunder_tcp(struct ndpi_detection_module_struct && packet->payload[packet->empty_line_position + 3] == 0x00 && packet->payload[packet->empty_line_position + 4] == 0x00 && packet->payload[packet->empty_line_position + 5] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "maybe thunder http POST packet application does match\n"); + NDPI_LOG_INFO(ndpi_struct, + "found thunder http POST packet application does match\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "excluding thunder tcp at stage %u\n", flow->thunder_stage); - + NDPI_LOG_DBG(ndpi_struct, "excluding thunder tcp at stage %u\n", flow->thunder_stage); NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_THUNDER); } @@ -153,12 +148,12 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct if (packet->detected_protocol_stack[0] == NDPI_PROTOCOL_THUNDER) { if (src != NULL && ((u_int32_t) (packet->tick_timestamp - src->thunder_ts) < ndpi_struct->thunder_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "thunder : save src connection packet detected\n"); src->thunder_ts = packet->tick_timestamp; } else if (dst != NULL && ((u_int32_t) (packet->tick_timestamp - dst->thunder_ts) < ndpi_struct->thunder_timeout)) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "thunder : save dst connection packet detected\n"); dst->thunder_ts = packet->tick_timestamp; } @@ -167,7 +162,7 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct if (packet->payload_packet_len > 5 && memcmp(packet->payload, "GET /", 5) == 0 && NDPI_SRC_OR_DST_HAS_PROTOCOL(src, dst, NDPI_PROTOCOL_THUNDER)) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, "HTTP packet detected.\n"); + NDPI_LOG_DBG2(ndpi_struct, "HTTP packet detected\n"); ndpi_parse_packet_line_info(ndpi_struct, flow); if (packet->parsed_lines > 7 @@ -186,8 +181,8 @@ void ndpi_int_search_thunder_http(struct ndpi_detection_module_struct && packet->user_agent_line.len > 49 && memcmp(packet->user_agent_line.ptr, "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)", 50) == 0) { - NDPI_LOG(NDPI_PROTOCOL_THUNDER, ndpi_struct, NDPI_LOG_DEBUG, - "Thunder HTTP download detected, adding flow.\n"); + NDPI_LOG_INFO(ndpi_struct, + "found thunder HTTP download detected\n"); ndpi_int_thunder_add_connection(ndpi_struct, flow); } } diff --git a/src/lib/protocols/tinc.c b/src/lib/protocols/tinc.c index cdd330bca..adb547a48 100644 --- a/src/lib/protocols/tinc.c +++ b/src/lib/protocols/tinc.c @@ -18,11 +18,14 @@ * along with nDPI. If not, see . * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_TINC + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TINC #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_TINC static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -52,7 +55,7 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st /* cache_free(ndpi_struct->tinc_cache); */ - NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "Found tinc udp connection\n"); + NDPI_LOG_INFO(ndpi_struct, "found tinc udp connection\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN); } } @@ -111,7 +114,7 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st ndpi_struct->tinc_cache = cache_new(TINC_CACHE_MAX_SIZE); cache_add(ndpi_struct->tinc_cache, &(flow->tinc_cache_entry), sizeof(flow->tinc_cache_entry)); - NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "Found tinc tcp connection\n"); + NDPI_LOG_INFO(ndpi_struct, "found tinc tcp connection\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TINC, NDPI_PROTOCOL_UNKNOWN); } return; @@ -123,14 +126,13 @@ static void ndpi_check_tinc(struct ndpi_detection_module_struct *ndpi_struct, st } } - NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "exclude tinc.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TINC); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_tinc(struct ndpi_detection_module_struct* ndpi_struct, struct ndpi_flow_struct* flow) { struct ndpi_packet_struct* packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_TINC, ndpi_struct, NDPI_LOG_DEBUG, "tinc detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "tinc detection\n"); if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_TINC) { if(packet->tcp_retransmission == 0) { diff --git a/src/lib/protocols/tor.c b/src/lib/protocols/tor.c index f6987ef19..93c4fecca 100644 --- a/src/lib/protocols/tor.c +++ b/src/lib/protocols/tor.c @@ -5,10 +5,15 @@ * Copyright (C) 2013 Remy Mudingay * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_TOR +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TOR + +#include "ndpi_api.h" + + static void ndpi_int_tor_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_TOR, NDPI_PROTOCOL_UNKNOWN); @@ -88,23 +93,22 @@ void ndpi_search_tor(struct ndpi_detection_module_struct *ndpi_struct, struct nd struct ndpi_packet_struct *packet = &flow->packet; u_int16_t dport = 0, sport = 0; - NDPI_LOG(NDPI_PROTOCOL_TOR, ndpi_struct, NDPI_LOG_DEBUG, "search for TOR.\n"); + NDPI_LOG_DBG(ndpi_struct, "search for TOR\n"); if(packet->tcp != NULL) { sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); - NDPI_LOG(NDPI_PROTOCOL_TOR, ndpi_struct, NDPI_LOG_DEBUG, "calculating TOR over tcp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating TOR over tcp\n"); if ((((dport == 9001) || (sport == 9001)) || ((dport == 9030) || (sport == 9030))) && ((packet->payload[0] == 0x17) || (packet->payload[0] == 0x16)) && (packet->payload[1] == 0x03) && (packet->payload[2] == 0x01) && (packet->payload[3] == 0x00)) { - NDPI_LOG(NDPI_PROTOCOL_TOR, ndpi_struct, NDPI_LOG_DEBUG, "found tor.\n"); + NDPI_LOG_INFO(ndpi_struct, "found tor\n"); ndpi_int_tor_add_connection(ndpi_struct, flow); } } else { - NDPI_LOG(NDPI_PROTOCOL_TOR, ndpi_struct, NDPI_LOG_DEBUG, "exclude TOR.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TOR); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } diff --git a/src/lib/protocols/tvants.c b/src/lib/protocols/tvants.c index 7297e489f..ceee278b9 100644 --- a/src/lib/protocols/tvants.c +++ b/src/lib/protocols/tvants.c @@ -22,11 +22,14 @@ * */ - -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_TVANTS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TVANTS + +#include "ndpi_api.h" + static void ndpi_int_tvants_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -40,13 +43,8 @@ void ndpi_search_tvants_udp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - - - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "search tvants. \n"); + NDPI_LOG_DBG(ndpi_struct, "search tvants. \n"); if (packet->udp != NULL && packet->payload_packet_len > 57 && packet->payload[0] == 0x04 && packet->payload[1] == 0x00 @@ -57,7 +55,7 @@ void ndpi_search_tvants_udp(struct ndpi_detection_module_struct && (memcmp(&packet->payload[48], "TVANTS", 6) == 0 || memcmp(&packet->payload[49], "TVANTS", 6) == 0 || memcmp(&packet->payload[51], "TVANTS", 6) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "found tvants over udp. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvants over udp. \n"); ndpi_int_tvants_add_connection(ndpi_struct, flow); } else if (packet->tcp != NULL && packet->payload_packet_len > 15 @@ -67,12 +65,11 @@ void ndpi_search_tvants_udp(struct ndpi_detection_module_struct && packet->payload[6] == 0x00 && packet->payload[7] == 0x00 && memcmp(&packet->payload[8], "TVANTS", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "found tvants over tcp. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvants over tcp. \n"); ndpi_int_tvants_add_connection(ndpi_struct, flow); } - NDPI_LOG(NDPI_PROTOCOL_TVANTS, ndpi_struct, NDPI_LOG_DEBUG, "exclude tvants. \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TVANTS); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/tvuplayer.c b/src/lib/protocols/tvuplayer.c index 2d35ae6cc..2160a5afa 100644 --- a/src/lib/protocols/tvuplayer.c +++ b/src/lib/protocols/tvuplayer.c @@ -22,10 +22,13 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_TVUPLAYER +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_TVUPLAYER + +#include "ndpi_api.h" static void ndpi_int_tvuplayer_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ @@ -39,19 +42,14 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "search tvuplayer. \n"); - - + NDPI_LOG_DBG(ndpi_struct, "search tvuplayer. \n"); if (packet->tcp != NULL) { if ((packet->payload_packet_len == 36 || packet->payload_packet_len == 24) && packet->payload[0] == 0x00 && ntohl(get_u_int32_t(packet->payload, 2)) == 0x31323334 && ntohl(get_u_int32_t(packet->payload, 6)) == 0x35363837 && packet->payload[10] == 0x01) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer over tcp. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer over tcp. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -62,7 +60,7 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str NDPI_PARSE_PACKET_LINE_INFO(ndpi_struct, flow, packet); if (packet->user_agent_line.ptr != NULL && packet->user_agent_line.len >= 8 && (memcmp(packet->user_agent_line.ptr, "MacTVUP", 7) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "Found user agent as MacTVUP.\n"); + NDPI_LOG_INFO(ndpi_struct, "Found user agent as MacTVUP\n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -79,7 +77,7 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str && packet->payload[12] == 0x02 && packet->payload[13] == 0xff && packet->payload[19] == 0x2c && ((packet->payload[26] == 0x05 && packet->payload[27] == 0x14) || (packet->payload[26] == 0x14 && packet->payload[27] == 0x05))) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer pattern type I. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer pattern type I. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -91,7 +89,7 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str && packet->payload[33] == 0xff && packet->payload[34] == 0x01 && packet->payload[39] == 0x32 && ((packet->payload[46] == 0x05 && packet->payload[47] == 0x14) || (packet->payload[46] == 0x14 && packet->payload[47] == 0x05))) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer pattern type II. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer pattern type II. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -103,7 +101,7 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str || packet->payload[11] == 0x06 || packet->payload[11] == 0x22) && packet->payload[12] == 0x01 && (packet->payload[13] == 0xff || packet->payload[13] == 0x01) && packet->payload[19] == 0x14) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer pattern type III. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer pattern type III. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -113,7 +111,7 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str && packet->payload[12] == 0x01 && packet->payload[13] == 0xff && packet->payload[19] == 0x14 && packet->payload[32] == 0x03 && packet->payload[33] == 0xff && packet->payload[34] == 0x01 && packet->payload[39] == 0x34) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer pattern type IV. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer pattern type IV. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -122,7 +120,7 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str && packet->payload[10] == 0x00 && packet->payload[11] == 0x00 && packet->payload[12] == 0x01 && packet->payload[13] == 0xff && packet->payload[19] == 0x14 && packet->payload[33] == 0xff && packet->payload[39] == 0x14) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer pattern type V. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer pattern type V. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -131,7 +129,7 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str && packet->payload[12] == 0x03 && packet->payload[13] == 0xff && packet->payload[19] == 0x32 && ((packet->payload[26] == 0x05 && packet->payload[27] == 0x14) || (packet->payload[26] == 0x14 && packet->payload[27] == 0x05))) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer pattern type VI. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer pattern type VI. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } @@ -140,14 +138,13 @@ void ndpi_search_tvuplayer(struct ndpi_detection_module_struct *ndpi_struct, str && packet->payload[0] == 0x00 && packet->payload[2] == 0x00 && packet->payload[10] == 0x00 && packet->payload[11] == 0x00 && packet->payload[12] == 0x06 && packet->payload[13] == 0x00 && packet->payload[19] == 0x30) { - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "found tvuplayer pattern type VII. \n"); + NDPI_LOG_INFO(ndpi_struct, "found tvuplayer pattern type VII. \n"); ndpi_int_tvuplayer_add_connection(ndpi_struct, flow); return; } } - NDPI_LOG(NDPI_PROTOCOL_TVUPLAYER, ndpi_struct, NDPI_LOG_DEBUG, "exclude tvuplayer. \n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_TVUPLAYER); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/ubntac2.c b/src/lib/protocols/ubntac2.c index 7196ee884..012c8712e 100644 --- a/src/lib/protocols/ubntac2.c +++ b/src/lib/protocols/ubntac2.c @@ -19,10 +19,15 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_UBNTAC2 +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_UBNTAC2 + +#include "ndpi_api.h" + + static void ndpi_int_ubntac2_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_UBNTAC2, NDPI_PROTOCOL_UNKNOWN); @@ -33,7 +38,8 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_TRACE, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); + NDPI_LOG_DBG(ndpi_struct, "search ubntac2\n"); + NDPI_LOG_DBG2(ndpi_struct, "UBNTAC2 detection... plen:%i %i:%i\n", packet->payload_packet_len, ntohs(packet->udp->source), ntohs(packet->udp->dest)); if(packet->udp) { if(packet->payload_packet_len >= 135 && @@ -64,7 +70,7 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc flow->protos.ubntac2.version[len] = '\0'; } - NDPI_LOG(NDPI_PROTOCOL_UBNTAC2, ndpi_struct, NDPI_LOG_DEBUG, "UBNT AirControl 2 request\n"); + NDPI_LOG_INFO(ndpi_struct, "UBNT AirControl 2 request\n"); ndpi_int_ubntac2_add_connection(ndpi_struct, flow); } @@ -72,7 +78,7 @@ void ndpi_search_ubntac2(struct ndpi_detection_module_struct *ndpi_struct, struc } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_UBNTAC2); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/usenet.c b/src/lib/protocols/usenet.c index 4648a69ab..0a995d6f8 100644 --- a/src/lib/protocols/usenet.c +++ b/src/lib/protocols/usenet.c @@ -23,10 +23,13 @@ */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_USENET +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_USENET + +#include "ndpi_api.h" static void ndpi_int_usenet_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -41,17 +44,9 @@ void ndpi_search_usenet_tcp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; -// struct ndpi_id_struct *src=ndpi_struct->src; -// struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: search usenet.\n"); - - - - - - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: STAGE IS %u.\n", flow->l4.tcp.usenet_stage); + NDPI_LOG_DBG(ndpi_struct, "search usenet\n"); + NDPI_LOG_DBG2(ndpi_struct, "STAGE IS %u\n", flow->l4.tcp.usenet_stage); // check for the first server replay /* @@ -62,10 +57,10 @@ void ndpi_search_usenet_tcp(struct ndpi_detection_module_struct && ((memcmp(packet->payload, "200 ", 4) == 0) || (memcmp(packet->payload, "201 ", 4) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: found 200 or 201.\n"); + NDPI_LOG_DBG2(ndpi_struct, "found 200 or 201\n"); flow->l4.tcp.usenet_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: maybe hit.\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe hit\n"); return; } @@ -78,28 +73,23 @@ void ndpi_search_usenet_tcp(struct ndpi_detection_module_struct // check for client username if (flow->l4.tcp.usenet_stage == 2 - packet->packet_direction) { if (packet->payload_packet_len > 20 && (memcmp(packet->payload, "AUTHINFO USER ", 14) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: username found\n"); + NDPI_LOG_DBG2(ndpi_struct, "username found\n"); flow->l4.tcp.usenet_stage = 3 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: found usenet.\n"); + NDPI_LOG_INFO(ndpi_struct, "found usenet\n"); ndpi_int_usenet_add_connection(ndpi_struct, flow); return; } else if (packet->payload_packet_len == 13 && (memcmp(packet->payload, "MODE READER\r\n", 13) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, - "USENET: no login necessary but we are a client.\n"); + NDPI_LOG_DBG2(ndpi_struct, + "no login necessary but we are a client.\n"); - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: found usenet.\n"); + NDPI_LOG_INFO(ndpi_struct, "found usenet\n"); ndpi_int_usenet_add_connection(ndpi_struct, flow); return; } } - - - NDPI_LOG(NDPI_PROTOCOL_USENET, ndpi_struct, NDPI_LOG_DEBUG, "USENET: exclude usenet.\n"); - - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_USENET); - + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/vhua.c b/src/lib/protocols/vhua.c index e20477573..844eaf84f 100644 --- a/src/lib/protocols/vhua.c +++ b/src/lib/protocols/vhua.c @@ -17,7 +17,11 @@ * along with nDPI. If not, see . * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_VHUA + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VHUA #include "ndpi_api.h" @@ -28,11 +32,10 @@ */ -#ifdef NDPI_PROTOCOL_VHUA static void ndpi_int_vhua_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VHUA, NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_VHUA, ndpi_struct, NDPI_LOG_TRACE, "VHUA Found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found VHUA\n"); } @@ -47,8 +50,7 @@ static void ndpi_check_vhua(struct ndpi_detection_module_struct *ndpi_struct, st if((flow->packet_counter > 3) || (packet->udp == NULL) || (packet->payload_packet_len < sizeof(p0))) { - NDPI_LOG(NDPI_PROTOCOL_VHUA, ndpi_struct, NDPI_LOG_TRACE, "Exclude VHUA.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VHUA); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } else if(memcmp(packet->payload, p0, sizeof(p0)) == 0) { ndpi_int_vhua_add_connection(ndpi_struct, flow); } @@ -57,7 +59,7 @@ static void ndpi_check_vhua(struct ndpi_detection_module_struct *ndpi_struct, st void ndpi_search_vhua(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_VHUA, ndpi_struct, NDPI_LOG_TRACE, "VHUA detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search VHUA\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_VHUA) { diff --git a/src/lib/protocols/viber.c b/src/lib/protocols/viber.c index 111a53007..517b74b91 100644 --- a/src/lib/protocols/viber.c +++ b/src/lib/protocols/viber.c @@ -18,31 +18,34 @@ * If not, see . */ +#include "ndpi_protocol_ids.h" + +#ifdef NDPI_PROTOCOL_VIBER + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VIBER #include "ndpi_api.h" -#ifdef NDPI_PROTOCOL_VIBER void ndpi_search_viber(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "search for VIBER.\n"); + NDPI_LOG_DBG(ndpi_struct, "search for VIBER\n"); if(packet->udp != NULL) { - NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "calculating dport over udp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "calculating dport over udp\n"); if((packet->payload_packet_len == 12 && packet->payload[2] == 0x03 && packet->payload[3] == 0x00) || (packet->payload_packet_len == 20 && packet->payload[2] == 0x09 && packet->payload[3] == 0x00) || ((packet->payload_packet_len < 135) && (packet->payload[0] == 0x11))) { - NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "found VIBER.\n"); + NDPI_LOG_DBG(ndpi_struct, "found VIBER\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VIBER, NDPI_PROTOCOL_UNKNOWN); return; } } - NDPI_LOG(NDPI_PROTOCOL_VIBER, ndpi_struct, NDPI_LOG_DEBUG, "exclude VIBER.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VIBER); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/vmware.c b/src/lib/protocols/vmware.c index e5421b946..34fe84ab9 100644 --- a/src/lib/protocols/vmware.c +++ b/src/lib/protocols/vmware.c @@ -17,28 +17,32 @@ * along with nDPI. If not, see . * */ -#include "ndpi_api.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_VMWARE +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VMWARE + +#include "ndpi_api.h" void ndpi_search_vmware(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search vmware\n"); /* Check whether this is an VMWARE flow */ if(packet->udp != NULL){ if((packet->payload_packet_len == 66) && (ntohs(packet->udp->dest) == 902) && ((packet->payload[0] & 0xFF) == 0xA4)){ - NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "Found vmware.\n"); + NDPI_LOG_INFO(ndpi_struct, "found vmware\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VMWARE, NDPI_PROTOCOL_UNKNOWN); return; } } - NDPI_LOG(NDPI_PROTOCOL_VMWARE, ndpi_struct, NDPI_LOG_DEBUG, "exclude vmware.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VMWARE); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void init_vmware_dissector(struct ndpi_detection_module_struct *ndpi_struct, u_int32_t *id, NDPI_PROTOCOL_BITMASK *detection_bitmask) diff --git a/src/lib/protocols/vnc.c b/src/lib/protocols/vnc.c index ff0f6c6fa..6bbb26c6d 100644 --- a/src/lib/protocols/vnc.c +++ b/src/lib/protocols/vnc.c @@ -20,15 +20,19 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_VNC +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_VNC + +#include "ndpi_api.h" void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search vnc\n"); /* search over TCP */ if(packet->tcp) { @@ -39,7 +43,7 @@ void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc (memcmp(packet->payload, "RFB 003.007", 11) == 0 && packet->payload[11] == 0x0a) || (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) || (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) { - NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "reached vnc stage one\n"); + NDPI_LOG_DBG2(ndpi_struct, "reached vnc stage one\n"); flow->l4.tcp.vnc_stage = 1 + packet->packet_direction; return; } @@ -51,14 +55,13 @@ void ndpi_search_vnc_tcp(struct ndpi_detection_module_struct *ndpi_struct, struc (memcmp(packet->payload, "RFB 003.008", 11) == 0 && packet->payload[11] == 0x0a) || (memcmp(packet->payload, "RFB 004.001", 11) == 0 && packet->payload[11] == 0x0a))) { - NDPI_LOG(NDPI_PROTOCOL_VNC, ndpi_struct, NDPI_LOG_DEBUG, "found vnc\n"); + NDPI_LOG_INFO(ndpi_struct, "found vnc\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_VNC, NDPI_PROTOCOL_UNKNOWN); return; } } } - /* exclude VNC */ - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_VNC); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/warcraft3.c b/src/lib/protocols/warcraft3.c index ab07571eb..bbc1d8388 100644 --- a/src/lib/protocols/warcraft3.c +++ b/src/lib/protocols/warcraft3.c @@ -22,12 +22,13 @@ * */ +#include "ndpi_protocol_ids.h" +#ifdef NDPI_PROTOCOL_WARCRAFT3 -/* include files */ +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WARCRAFT3 -#include "ndpi_protocols.h" -#ifdef NDPI_PROTOCOL_WARCRAFT3 +#include "ndpi_api.h" static void ndpi_int_warcraft3_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -40,52 +41,48 @@ void ndpi_search_warcraft3(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - u_int16_t l; /* Leave it as u_int32_t because otherwise 'u_int16_t temp' might overflood it and thus generate an infinite loop */ - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "search WARCRAFT3\n"); + NDPI_LOG_DBG(ndpi_struct, "search WARCRAFT3\n"); if (flow->packet_counter == 1 && packet->payload_packet_len == 1 && packet->payload[0] == 0x01) { - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "maybe warcraft3: packet_len == 1\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe warcraft3: packet_len == 1\n"); return; } else if (packet->payload_packet_len >= 4 && (packet->payload[0] == 0xf7 || packet->payload[0] == 0xff)) { - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "packet_payload begins with 0xf7 or 0xff\n"); + NDPI_LOG_DBG2(ndpi_struct, "packet_payload begins with 0xf7 or 0xff\n"); l = packet->payload[2] + (packet->payload[3] << 8); // similar to ntohs - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "l = %u \n", l); + NDPI_LOG_DBG2(ndpi_struct, "l = %u \n", l); while (l <= (packet->payload_packet_len - 4)) { if (packet->payload[l] == 0xf7) { u_int16_t temp = (packet->payload[l + 2 + 1] << 8) + packet->payload[l + 2]; - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "another f7 visited.\n"); + NDPI_LOG_DBG2(ndpi_struct, "another f7 visited\n"); if((temp <= 2) || (temp > 1500)) { - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "break\n"); + NDPI_LOG_DBG2(ndpi_struct, "break\n"); break; } else { l += temp; - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "l = %u \n", l); + NDPI_LOG_DBG2(ndpi_struct, "l = %u \n", l); } } else { - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "break\n"); + NDPI_LOG_DBG2(ndpi_struct, "break\n"); break; } } if (l == packet->payload_packet_len) { - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "maybe WARCRAFT3\n"); - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "flow->packet_counter = %u \n", + NDPI_LOG_DBG2(ndpi_struct, "maybe WARCRAFT3 flow->packet_counter = %u \n", flow->packet_counter); if (flow->packet_counter > 2) { - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "detected WARCRAFT3\n"); + NDPI_LOG_INFO(ndpi_struct, "found WARCRAFT3\n"); ndpi_int_warcraft3_add_connection(ndpi_struct, flow); return; } @@ -93,8 +90,7 @@ void ndpi_search_warcraft3(struct ndpi_detection_module_struct } } - NDPI_LOG(NDPI_PROTOCOL_WARCRAFT3, ndpi_struct, NDPI_LOG_DEBUG, "no warcraft3 detected.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WARCRAFT3); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/whoisdas.c b/src/lib/protocols/whoisdas.c index 968449cbd..32a9d186f 100644 --- a/src/lib/protocols/whoisdas.c +++ b/src/lib/protocols/whoisdas.c @@ -17,14 +17,21 @@ * along with nDPI. If not, see . * */ -#include "ndpi_protocols.h" + +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_WHOIS_DAS +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WHOIS_DAS + +#include "ndpi_api.h" + + void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; + NDPI_LOG_DBG(ndpi_struct, "search WHOIS/DAS\n"); if(packet->tcp != NULL) { u_int16_t sport = ntohs(packet->tcp->source), dport = ntohs(packet->tcp->dest); @@ -45,15 +52,14 @@ void ndpi_search_whois_das(struct ndpi_detection_module_struct *ndpi_struct, str flow->host_server_name[i] = '\0'; flow->server_id = ((sport == 43) || (sport == 4343)) ? flow->src : flow->dst; - NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_DEBUG, "[WHOIS/DAS] %s\n", flow->host_server_name); + NDPI_LOG_INFO(ndpi_struct, "[WHOIS/DAS] %s\n", flow->host_server_name); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_WHOIS_DAS, NDPI_PROTOCOL_UNKNOWN); return; } } } - /* exclude WHOIS */ - NDPI_LOG(NDPI_PROTOCOL_WHOIS_DAS, ndpi_struct, NDPI_LOG_TRACE, "WHOIS Excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WHOIS_DAS); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/world_of_kung_fu.c b/src/lib/protocols/world_of_kung_fu.c index 0a8d2707d..534addc7d 100644 --- a/src/lib/protocols/world_of_kung_fu.c +++ b/src/lib/protocols/world_of_kung_fu.c @@ -22,11 +22,12 @@ * */ +#include "ndpi_protocol_ids.h" - -/* include files */ -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_WORLD_OF_KUNG_FU +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WORLD_OF_KUNG_FU +#include "ndpi_api.h" + static void ndpi_int_world_of_kung_fu_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { @@ -37,22 +38,18 @@ void ndpi_search_world_of_kung_fu(struct ndpi_detection_module_struct *ndpi_stru { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "search world_of_kung_fu.\n"); + NDPI_LOG_DBG(ndpi_struct, "search world_of_kung_fu\n"); if ((packet->payload_packet_len == 16) && ntohl(get_u_int32_t(packet->payload, 0)) == 0x0c000000 && ntohl(get_u_int32_t(packet->payload, 4)) == 0xd2000c00 && (packet->payload[9] == 0x16) && ntohs(get_u_int16_t(packet->payload, 10)) == 0x0000 && ntohs(get_u_int16_t(packet->payload, 14)) == 0x0000) { - NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "detected world_of_kung_fu.\n"); + NDPI_LOG_INFO(ndpi_struct, "detected world_of_kung_fu\n"); ndpi_int_world_of_kung_fu_add_connection(ndpi_struct, flow); return; } - NDPI_LOG(NDPI_PROTOCOL_WORLD_OF_KUNG_FU, ndpi_struct, NDPI_LOG_DEBUG, "exclude world_of_kung_fu.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLD_OF_KUNG_FU); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/world_of_warcraft.c b/src/lib/protocols/world_of_warcraft.c index de3f720ba..307f41070 100644 --- a/src/lib/protocols/world_of_warcraft.c +++ b/src/lib/protocols/world_of_warcraft.c @@ -21,12 +21,13 @@ * along with nDPI. If not, see . * */ - - -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_WORLDOFWARCRAFT +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_WORLDOFWARCRAFT + +#include "ndpi_api.h" static void ndpi_int_worldofwarcraft_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow/* , */ @@ -58,7 +59,7 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct struct ndpi_id_struct *src = flow->src; struct ndpi_id_struct *dst = flow->dst; - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "Search World of Warcraft.\n"); + NDPI_LOG_DBG(ndpi_struct, "search World of Warcraft\n"); if (packet->tcp != NULL) { /* @@ -72,8 +73,7 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct memcmp(packet->user_agent_line.ptr, "Blizzard Web Client", NDPI_STATICSTRING_LEN("Blizzard Web Client")) == 0) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, - "World of Warcraft: Web Client found\n"); + NDPI_LOG_DBG(ndpi_struct, "World of Warcraft: Web Client found\n"); return; } } @@ -89,7 +89,7 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("worldofwarcraft.com")], "worldofwarcraft.com", NDPI_STATICSTRING_LEN("worldofwarcraft.com")) == 0) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: Web Client found\n"); return; } @@ -97,14 +97,14 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct if (packet->payload_packet_len == 50 && memcmp(&packet->payload[2], "WORLD OF WARCRAFT CONNECTION", NDPI_STATICSTRING_LEN("WORLD OF WARCRAFT CONNECTION")) == 0) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Login found\n"); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: Login found\n"); return; } if (packet->tcp->dest == htons(3724) && packet->payload_packet_len < 70 && packet->payload_packet_len > 40 && (memcmp(&packet->payload[4], "WoW", 3) == 0 || memcmp(&packet->payload[5], "WoW", 3) == 0)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "World of Warcraft: Login found\n"); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: Login found\n"); return; } @@ -112,8 +112,7 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct if (packet->tcp->source == htons(3724) && packet->payload_packet_len == 8 && get_u_int32_t(packet->payload, 0) == htonl(0x0006ec01)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); return; } @@ -127,16 +126,14 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) { if (get_u_int32_t(packet->payload, 2) == htonl(0xec010100)) { - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "probably World of Warcraft, waiting for final packet\n"); flow->l4.tcp.wow_stage = 2; return; } else if (packet->payload_packet_len == 41 && (get_u_int16_t(packet->payload, 2) == htons(0x0085) || get_u_int16_t(packet->payload, 2) == htons(0x0034) || get_u_int16_t(packet->payload, 2) == htons(0x1960))) { - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "maybe World of Warcraft, need next\n"); + NDPI_LOG_DBG2(ndpi_struct, "maybe World of Warcraft, need next\n"); flow->l4.tcp.wow_stage = 1; return; } @@ -155,21 +152,18 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct || memcmp(&packet->payload[packet->payload_packet_len - 30], "\x94\xec\xff\xfd\x67\x62\xd4\x67\xfb\xf9\xdd\xbd\xfd\x01\xc0\x8f\xf9\x81", 18) == 0)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); return; } if (packet->payload_packet_len > 32 && ntohs(get_u_int16_t(packet->payload, 0)) == (packet->payload_packet_len - 2)) { if (get_u_int16_t(packet->payload, 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "probably World of Warcraft, waiting for final packet\n"); flow->l4.tcp.wow_stage = 2; return; } else if (get_u_int32_t(packet->payload, 2) == htonl(0x12050000)) { - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "probably World of Warcraft, waiting for final packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "probably World of Warcraft, waiting for final packet\n"); flow->l4.tcp.wow_stage = 2; return; } @@ -179,16 +173,14 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct if (flow->l4.tcp.wow_stage == 2) { if (packet->payload_packet_len == 4) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); return; } else if (packet->payload_packet_len > 4 && packet->payload_packet_len <= 16 && packet->payload[4] == 0x0c) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); return; } else if (flow->packet_counter < 3) { - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, NDPI_LOG_DEBUG, "waiting for final packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "waiting for final packet\n"); return; } } @@ -199,14 +191,13 @@ void ndpi_search_worldofwarcraft(struct ndpi_detection_module_struct get_u_int32_t(packet->payload, 0) == htonl(0x40000aed) && get_u_int32_t(packet->payload, 4) == htonl(0xea070aed)) { ndpi_int_worldofwarcraft_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_WORLDOFWARCRAFT, ndpi_struct, - NDPI_LOG_DEBUG, "World of Warcraft: connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "World of Warcraft: connection detected\n"); return; } } } - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_WORLDOFWARCRAFT); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/xbox.c b/src/lib/protocols/xbox.c index 92f68fc34..3182c191c 100644 --- a/src/lib/protocols/xbox.c +++ b/src/lib/protocols/xbox.c @@ -21,9 +21,11 @@ * */ -#include "ndpi_protocols.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_XBOX +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_XBOX +#include "ndpi_api.h" static void ndpi_int_xbox_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -36,9 +38,6 @@ void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct n { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src = flow->src; - // struct ndpi_id_struct *dst = flow->dst; - /* * XBOX UDP DETCTION ONLY * the xbox TCP detection is done by http code @@ -49,7 +48,7 @@ void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct n u_int16_t dport = ntohs(packet->udp->dest); u_int16_t sport = ntohs(packet->udp->source); - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "search xbox\n"); + NDPI_LOG_DBG(ndpi_struct, "search xbox\n"); if (packet->payload_packet_len > 12 && get_u_int32_t(packet->payload, 0) == 0 && packet->payload[5] == 0x58 && @@ -62,7 +61,7 @@ void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct n (packet->payload[4] == 0x06 && packet->payload[6] == 0x4e)) { ndpi_int_xbox_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found xbox udp connection detected\n"); return; } } @@ -76,10 +75,10 @@ void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct n || (packet->payload_packet_len == 28 && ntohl(get_u_int32_t(packet->payload, 0)) == 0x015f2c00))) { if (flow->l4.udp.xbox_stage == 1) { ndpi_int_xbox_add_connection(ndpi_struct, flow); - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp connection detected\n"); + NDPI_LOG_INFO(ndpi_struct, "found xbox udp connection detected\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "maybe xbox.\n"); + NDPI_LOG_DBG(ndpi_struct, "maybe xbox\n"); flow->l4.udp.xbox_stage++; return; } @@ -88,8 +87,7 @@ void ndpi_search_xbox(struct ndpi_detection_module_struct *ndpi_struct, struct n #ifdef NDPI_PROTOCOL_HTTP if(NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_HTTP) != 0) { #endif - NDPI_LOG(NDPI_PROTOCOL_XBOX, ndpi_struct, NDPI_LOG_DEBUG, "xbox udp excluded.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XBOX); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } } /* to not exclude tcp traffic here, done by http code... */ diff --git a/src/lib/protocols/xdmcp.c b/src/lib/protocols/xdmcp.c index 614e503b1..71bcd9c69 100644 --- a/src/lib/protocols/xdmcp.c +++ b/src/lib/protocols/xdmcp.c @@ -22,10 +22,14 @@ * */ +#include "ndpi_protocol_ids.h" -#include "ndpi_protocols.h" #ifdef NDPI_PROTOCOL_XDMCP +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_XDMCP + +#include "ndpi_api.h" + static void ndpi_int_xdmcp_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) @@ -38,17 +42,14 @@ void ndpi_search_xdmcp(struct ndpi_detection_module_struct { struct ndpi_packet_struct *packet = &flow->packet; - // struct ndpi_id_struct *src=ndpi_struct->src; - // struct ndpi_id_struct *dst=ndpi_struct->dst; - - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "search xdmcp.\n"); + NDPI_LOG_DBG(ndpi_struct, "search xdmcp\n"); if (packet->tcp != NULL && (ntohs(packet->tcp->dest) >= 6000 && ntohs(packet->tcp->dest) <= 6005) && packet->payload_packet_len == 48 && packet->payload[0] == 0x6c && packet->payload[1] == 0x00 && ntohs(get_u_int16_t(packet->payload, 6)) == 0x1200 && ntohs(get_u_int16_t(packet->payload, 8)) == 0x1000) { - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over tcp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found xdmcp over tcp\n"); ndpi_int_xdmcp_add_connection(ndpi_struct, flow); return; } @@ -56,14 +57,12 @@ void ndpi_search_xdmcp(struct ndpi_detection_module_struct && packet->payload_packet_len >= 6 && packet->payload_packet_len == 6 + ntohs(get_u_int16_t(packet->payload, 4)) && ntohs(get_u_int16_t(packet->payload, 0)) == 0x0001 && ntohs(get_u_int16_t(packet->payload, 2)) == 0x0002) { - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "found xdmcp over udp.\n"); + NDPI_LOG_INFO(ndpi_struct, "found xdmcp over udp\n"); ndpi_int_xdmcp_add_connection(ndpi_struct, flow); return; } - - NDPI_LOG(NDPI_PROTOCOL_XDMCP, ndpi_struct, NDPI_LOG_DEBUG, "exclude xdmcp.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_XDMCP); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/yahoo.c b/src/lib/protocols/yahoo.c index 569fca940..3c073482f 100644 --- a/src/lib/protocols/yahoo.c +++ b/src/lib/protocols/yahoo.c @@ -20,9 +20,12 @@ * along with nDPI. If not, see . * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_YAHOO +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_YAHOO +#include "ndpi_api.h" + struct ndpi_yahoo_header { @@ -87,8 +90,6 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru struct ndpi_id_struct *dst = flow->dst; const struct ndpi_yahoo_header *yahoo = (struct ndpi_yahoo_header *) packet->payload; - - if(packet->tcp) { if(packet->payload_packet_len > 0) { /* packet must be at least 20 bytes long */ @@ -96,11 +97,11 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru && memcmp(yahoo->YMSG_str, "YMSG", 4) == 0 && ((packet->payload_packet_len - 20) == ntohs(yahoo->len) || check_ymsg(packet->payload, packet->payload_packet_len))) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO FOUND\n"); + NDPI_LOG_DBG(ndpi_struct, "YAHOO FOUND\n"); flow->yahoo_detection_finished = 2; if(ntohs(yahoo->service) == 24 || ntohs(yahoo->service) == 152 || ntohs(yahoo->service) == 74) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat invite found"); + NDPI_LOG_DBG(ndpi_struct, "YAHOO conference or chat invite found"); if(src != NULL) src->yahoo_conf_logged_in = 1; @@ -108,13 +109,13 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru dst->yahoo_conf_logged_in = 1; } if(ntohs(yahoo->service) == 27 || ntohs(yahoo->service) == 155 || ntohs(yahoo->service) == 160) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO conference or chat logoff found"); + NDPI_LOG_DBG(ndpi_struct, "YAHOO conference or chat logoff found"); if(src != NULL) { src->yahoo_conf_logged_in = 0; src->yahoo_voice_conf_logged_in = 0; } } - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; @@ -140,7 +141,7 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { /* this is mostly a file transfer */ - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -151,7 +152,7 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru if ((packet->user_agent_line.len >= 21) && (memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", 21) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO(Mobile)"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -169,27 +170,23 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru && memcmp(packet->line[4].ptr, "User-Agent: Mozilla/5.0", 23) == 0 && packet->line[5].len >= 23 && memcmp(packet->line[5].ptr, "Cache-Control: no-cache", 23) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, - "YAHOO HTTP POST P2P FILETRANSFER FOUND\n"); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO HTTP POST P2P FILETRANSFER\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } if (packet->host_line.ptr != NULL && packet->host_line.len >= 26 && memcmp(packet->host_line.ptr, "filetransfer.msg.yahoo.com", 26) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP POST FILETRANSFER FOUND\n"); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO HTTP POST FILETRANSFER\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } /* now check every line */ for (a = 0; a < packet->parsed_lines; a++) { if (packet->line[a].len >= 4 && memcmp(packet->line[a].ptr, "YMSG", 4) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, - NDPI_LOG_TRACE, + NDPI_LOG_DBG(ndpi_struct, "YAHOO HTTP POST FOUND, line is: %.*s\n", packet->line[a].len, packet->line[a].ptr); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -197,8 +194,8 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru if (packet->parsed_lines > 8 && packet->line[8].len > 250 && packet->line[8].ptr != NULL) { if (memcmp(packet->line[8].ptr, "line[8].len, packet->line[8].ptr)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, - "found HTTP Proxy Yahoo Chat detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0) || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO HTTP GET /Messenger. match\n"); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO HTTP GET /Messenger. match\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -222,13 +218,13 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru && memcmp(packet->user_agent_line.ptr, "YahooMobileMessenger/", NDPI_STATICSTRING_LEN("YahooMobileMessenger/")) == 0) || (packet->user_agent_line.len >= 15 && (memcmp(packet->user_agent_line.ptr, "Y!%20Messenger/", 15) == 0))) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO(Mobile)"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO(Mobile)"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } if(packet->host_line.ptr != NULL && packet->host_line.len >= NDPI_STATICSTRING_LEN("msg.yahoo.com") && memcmp(&packet->host_line.ptr[packet->host_line.len - NDPI_STATICSTRING_LEN("msg.yahoo.com")], "msg.yahoo.com", NDPI_STATICSTRING_LEN("msg.yahoo.com")) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -242,10 +238,10 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru if (packet->parsed_lines > 2 && packet->line[1].len == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "first line is empty.\n"); + NDPI_LOG_DBG(ndpi_struct, "first line is empty\n"); if (packet->line[2].len > 13 && memcmp(packet->line[2].ptr, "payload_packet_len > 38 && memcmp(packet->payload, "CONNECT scs.msg.yahoo.com:5050 HTTP/1.", 38) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO-HTTP FOUND\n"); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO-HTTP\n"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -264,7 +259,7 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru || (dst != NULL && NDPI_COMPARE_PROTOCOL_TO_BITMASK(dst->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) != 0)) { if (packet->payload_packet_len == 6 && memcmp(packet->payload, "YAHOO!", 6) == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -274,8 +269,6 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru if (packet->payload_packet_len == 8 && (memcmp(packet->payload, "", 8) == 0 || memcmp(packet->payload, "", 8) == 0 || memcmp(packet->payload, "", 8) == 0 || memcmp(packet->payload, "", 8) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_TRACE, "YAHOO SNDIMG or REQIMG or RVWCFG or RUPCFG FOUND\n"); - if(src != NULL) { if (memcmp(packet->payload, "", 8) == 0) { src->yahoo_video_lan_dir = 0; @@ -293,7 +286,7 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru dst->yahoo_video_lan_timer = packet->tick_timestamp; } - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO subtype VIDEO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO subtype VIDEO"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); return; } @@ -302,9 +295,8 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru if (src->yahoo_video_lan_dir == 1) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO IMG MARKED"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); return; } } @@ -312,9 +304,8 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru && ((u_int32_t) (packet->tick_timestamp - dst->yahoo_video_lan_timer) < ndpi_struct->yahoo_lan_video_timeout)) { if (dst->yahoo_video_lan_dir == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found YAHOO"); + NDPI_LOG_INFO(ndpi_struct, "found YAHOO IMG MARKED"); ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_YAHOO, NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "IMG MARKED"); return; } } @@ -326,8 +317,7 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru { if (flow->l4.tcp.yahoo_http_proxy_stage == 0) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, - "YAHOO maybe HTTP proxy packet 1 => need next packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "YAHOO maybe HTTP proxy packet 1 => need next packet\n"); flow->l4.tcp.yahoo_http_proxy_stage = 1 + packet->packet_direction; return; } @@ -335,12 +325,12 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru if ((packet->payload_packet_len > 250) && (memcmp(packet->payload, "payload_packet_len, packet->payload)) { - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "found HTTP Proxy Yahoo Chat need next packet\n"); + NDPI_LOG_DBG2(ndpi_struct, "YAHOO maybe HTTP proxy still initial direction => need next packet\n"); return; } if (flow->l4.tcp.yahoo_http_proxy_stage == 2 - packet->packet_direction) { @@ -354,7 +344,7 @@ static void ndpi_search_yahoo_tcp(struct ndpi_detection_module_struct *ndpi_stru memcmp(packet->line[4].ptr, "line[8].ptr, "excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO); - } + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_YAHOO, ndpi_struct, NDPI_LOG_DEBUG, "search yahoo\n"); + NDPI_LOG_DBG(ndpi_struct, "search yahoo\n"); if(packet->payload_packet_len > 0 && flow->yahoo_detection_finished == 0) { @@ -385,13 +374,16 @@ void ndpi_search_yahoo(struct ndpi_detection_module_struct *ndpi_struct, struct #ifdef NDPI_PROTOCOL_SSL || packet->detected_protocol_stack[0] == NDPI_PROTOCOL_SSL) { #endif + /* search over TCP */ ndpi_search_yahoo_tcp(ndpi_struct, flow); } } /* search over UDP */ else if(packet->udp != NULL) { - if(flow->src == NULL || NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) == 0) - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_YAHOO); + if ( flow->src == NULL || + NDPI_COMPARE_PROTOCOL_TO_BITMASK(flow->src->detected_protocol_bitmask, NDPI_PROTOCOL_YAHOO) == 0) { + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); + } return; } } diff --git a/src/lib/protocols/zattoo.c b/src/lib/protocols/zattoo.c index 3b6adcec8..9c212ddde 100644 --- a/src/lib/protocols/zattoo.c +++ b/src/lib/protocols/zattoo.c @@ -20,9 +20,13 @@ * along with nDPI. If not, see . * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_ZATTOO + +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ZATTOO + +#include "ndpi_api.h" #ifndef WIN32 static inline @@ -33,13 +37,21 @@ u_int8_t ndpi_int_zattoo_user_agent_set(struct ndpi_detection_module_struct *ndp { if(flow->packet.user_agent_line.ptr != NULL && flow->packet.user_agent_line.len == 111) { if(memcmp(flow->packet.user_agent_line.ptr + flow->packet.user_agent_line.len - 25, "Zattoo/4", sizeof("Zattoo/4") - 1) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "found zattoo useragent\n"); + NDPI_LOG_DBG(ndpi_struct, "found zattoo useragent\n"); return 1; } } return 0; } +#define ZATTOO_DETECTED \ + if (src != NULL) \ + src->zattoo_ts = packet->tick_timestamp; \ + if (dst != NULL) \ + dst->zattoo_ts = packet->tick_timestamp; \ + \ + ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN) + void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; @@ -48,6 +60,8 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct u_int16_t i; + NDPI_LOG_DBG(ndpi_struct, "search ZATTOO\n"); + if(packet->detected_protocol_stack[0] == NDPI_PROTOCOL_ZATTOO) { if(src != NULL && ((u_int32_t) (packet->tick_timestamp - src->zattoo_ts) < ndpi_struct->zattoo_connection_timeout)) src->zattoo_ts = packet->tick_timestamp; @@ -59,26 +73,14 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct if(packet->tcp != NULL) { if(packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /frontdoor/fd?brand=Zattoo&v=", 33) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /frontdoor/fd?brand=Zattoo&v=\n"); - - if (src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if (dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET /frontdoor/fd?brand=Zattoo&v=\n"); + ZATTOO_DETECTED; return; } if(packet->payload_packet_len > 50 && memcmp(packet->payload, "GET /ZattooAdRedirect/redirect.jsp?user=", 40) == 0) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern GET /ZattooAdRedirect/redirect.jsp?user=\n"); - - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET /ZattooAdRedirect/redirect.jsp?user=\n"); + ZATTOO_DETECTED; return; } if(packet->payload_packet_len > 50 && (memcmp(packet->payload, "POST /channelserver/player/channel/update HTTP/1.1", 50) == 0 @@ -89,14 +91,8 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct for(i = 0; i < packet->parsed_lines; i++) { if(packet->line[i].len >= 18 && (memcmp(packet->line[i].ptr, "User-Agent: Zattoo", 18) == 0)) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern POST /channelserver/player/channel/update HTTP/1.1\n"); - - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern POST /channelserver/player/channel/update HTTP/1.1\n"); + ZATTOO_DETECTED; return; } } @@ -107,12 +103,8 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct if(ndpi_int_zattoo_user_agent_set(ndpi_struct, flow)) { - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern GET / or POST /\n"); + ZATTOO_DETECTED; return; } } else if(packet->payload_packet_len > 50 && memcmp(packet->payload, "POST http://", 12) == 0) { @@ -141,14 +133,8 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct && packet->payload[packet->empty_line_position + 6] == 0x0a && packet->payload[packet->empty_line_position + 7] == 0x00) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with pattern POST http://\n"); - - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with pattern POST http://\n"); + ZATTOO_DETECTED; return; } } @@ -160,20 +146,14 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct && packet->payload[2] == 0x00 && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { flow->zattoo_stage = 1 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next packet, seen pattern 0x030400040a00\n"); return; } /* the following is searching for flash, not for zattoo. */ } else if(flow->zattoo_stage == 2 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n"); - - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with 0x0304\n"); + ZATTOO_DETECTED; return; } else if(flow->zattoo_stage == 1 + packet->packet_direction) { @@ -181,7 +161,7 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct flow->zattoo_stage = 3 + packet->packet_direction; - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x0000\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next packet, seen pattern 0x0000\n"); return; } if(packet->payload_packet_len > 50 @@ -190,46 +170,29 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct && packet->payload[2] == 0x00 && packet->payload[3] == 0x04 && packet->payload[4] == 0x0a && packet->payload[5] == 0x00) { } - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet, seen pattern 0x030400040a00\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next packet, seen pattern 0x030400040a00\n"); return; } else if(flow->zattoo_stage == 4 - packet->packet_direction && packet->payload_packet_len > 50 && packet->payload[0] == 0x03 && packet->payload[1] == 0x04) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over tcp with 0x0304.\n"); - - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over tcp with 0x0304\n"); + ZATTOO_DETECTED; return; } else if(flow->zattoo_stage == 5 + packet->packet_direction && (packet->payload_packet_len == 125)) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "detected zattoo.\n"); - - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo\n"); + ZATTOO_DETECTED; return; } else if(flow->zattoo_stage == 6 - packet->packet_direction && packet->payload_packet_len == 1412) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "found zattoo.\n"); - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo\n"); + ZATTOO_DETECTED; return; } - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "ZATTOO: discarded the flow (TCP): packet_size: %u; Flowstage: %u\n", packet->payload_packet_len, flow->zattoo_stage); @@ -246,27 +209,21 @@ void ndpi_search_zattoo(struct ndpi_detection_module_struct *ndpi_struct, struct if(++flow->zattoo_stage == 2) { - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "add connection over udp.\n"); - if(src != NULL) - src->zattoo_ts = packet->tick_timestamp; - if(dst != NULL) - dst->zattoo_ts = packet->tick_timestamp; - - ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZATTOO, NDPI_PROTOCOL_UNKNOWN); + NDPI_LOG_INFO(ndpi_struct, "found zattoo. add connection over udp\n"); + ZATTOO_DETECTED; return; } - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "need next packet udp.\n"); + NDPI_LOG_DBG2(ndpi_struct, "need next packet udp\n"); return; } - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, + NDPI_LOG_DBG2(ndpi_struct, "ZATTOO: discarded the flow (UDP): packet_size: %u; Flowstage: %u\n", packet->payload_packet_len, flow->zattoo_stage); } - /* exclude ZATTOO */ - NDPI_LOG(NDPI_PROTOCOL_ZATTOO, ndpi_struct, NDPI_LOG_DEBUG, "exclude zattoo.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ZATTOO); + + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); } diff --git a/src/lib/protocols/zeromq.c b/src/lib/protocols/zeromq.c index f069bba09..c7c8e9519 100644 --- a/src/lib/protocols/zeromq.c +++ b/src/lib/protocols/zeromq.c @@ -17,13 +17,16 @@ * along with nDPI. If not, see . * */ -#include "ndpi_api.h" +#include "ndpi_protocol_ids.h" #ifdef NDPI_PROTOCOL_ZMQ +#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_ZMQ + +#include "ndpi_api.h" static void ndpi_int_zmq_add_connection(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_ZMQ, NDPI_PROTOCOL_UNKNOWN); - NDPI_LOG(NDPI_PROTOCOL_ZMQ, ndpi_struct, NDPI_LOG_TRACE, "ZMQ Found.\n"); + NDPI_LOG_INFO(ndpi_struct, "found ZMQ\n"); } @@ -39,8 +42,7 @@ static void ndpi_check_zmq(struct ndpi_detection_module_struct *ndpi_struct, str /* Break after 17 packets. */ if(flow->packet_counter > 17) { - NDPI_LOG(NDPI_PROTOCOL_ZMQ, ndpi_struct, NDPI_LOG_TRACE, "Exclude ZMQ.\n"); - NDPI_ADD_PROTOCOL_TO_BITMASK(flow->excluded_protocol_bitmask, NDPI_PROTOCOL_ZMQ); + NDPI_EXCLUDE_PROTO(ndpi_struct, flow); return; } @@ -85,7 +87,7 @@ static void ndpi_check_zmq(struct ndpi_detection_module_struct *ndpi_struct, str void ndpi_search_zmq(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow) { struct ndpi_packet_struct *packet = &flow->packet; - NDPI_LOG(NDPI_PROTOCOL_ZMQ, ndpi_struct, NDPI_LOG_TRACE, "ZMQ detection...\n"); + NDPI_LOG_DBG(ndpi_struct, "search ZMQ\n"); /* skip marked packets */ if(packet->detected_protocol_stack[0] != NDPI_PROTOCOL_ZMQ) { -- cgit v1.2.3